Malware Analysis Report

2025-01-19 05:18

Sample ID 220602-lmvbrsadgl
Target 9FFDA0C1E8E9E9C63C5219941F3F72F04EF8027B2ED8443498100DF27E00B8B0.apk
SHA256 9ffda0c1e8e9e9c63c5219941f3f72f04ef8027b2ed8443498100df27e00b8b0
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ffda0c1e8e9e9c63c5219941f3f72f04ef8027b2ed8443498100df27e00b8b0

Threat Level: Known bad

The file 9FFDA0C1E8E9E9C63C5219941F3F72F04EF8027B2ED8443498100DF27E00B8B0.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-02 09:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:43

Platform

android-x64-20220310-en

Max time kernel

600574s

Max time network

172s

Command Line

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 d3dffc453a8761be6d45825a501ad430
SHA1 75d1529a3425c7e49aa67d90f751e3a78b66e359
SHA256 60ef60157445a623636d55e81347a2f0fc322a1c8d98a0421f269330e6401734
SHA512 04c5031249a9db1074f413de9b910236af5d86b5893a7388627e8e72baf05b20ab029c4c215b4aa5e4c4133c64f24527f2d6e246e6fbe11c7c4d1de6956f11e6

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/CLgH.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/metrics_guid

MD5 1ab02b85bb02088d16b90ae81727b3ac
SHA1 806c340a1c74b8af8bd718dca2f0c37656d031c1
SHA256 66ba4e54474acb2b49bf22173bda1965e8fd659aa2dee2af0c816a58dfd1ff2a
SHA512 055e687268801f1f1d77c5df6019df253b96f818eb4593bc8376d149c300f9ce47d0421c546f75aae99b52c9d2dcf54d9ecaa7f80080e950d333285b952d3f2d

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Web Data-journal

MD5 b06d10ca71a9fe64191f985ca50e5884
SHA1 162f4799fcbb6674cecadd65bdacde6ed4b629d0
SHA256 590c3b747e976e982243027a13120398557fd2d0f8d557cbc2e274d2e7257169
SHA512 e866727fcc5ff83aafd72b6b57e99f5e2e4b1e3967a1b3dd0a0fd9ff316311f8d5415d506aabd0a9e2d5d15d7ad643fdd98f854779445442e3f50ebb53a911b2

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 b0336fa6c9e3af4055a1bc2a9889a830
SHA1 35ccf030c7f063245a0515cf4cab6fd4f24f8764
SHA256 6d9aa517348671626c95c83c7e949d5f13b0783e10f4f4d9d20a3b7089db67d8
SHA512 707a61916177730a511b8d278c3a0f4ee27b9152e4901a4c2b6f96b8dfe0fbd4e7a9d0ff7fe9147ebc3ddf1691da5273c7422efcf44ee059356e0a763eb40ffa

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/GPUCache/index-dir/temp-index

MD5 7c83ebeba4d27678916876f3412247a2
SHA1 57293e7c70b318926f9d8b300c5169998bb132c1
SHA256 288f2005b9af63cd07b5aca48676d29b43f6fa40404b5431ac1c9a2c3d2d4b27
SHA512 011ead0da1a3ff0f62e3c5f81a5588650ec837ad84efebc19ea1676041da50f3c400b443550034b2c301b7f38ceb5db3c6068fd03d4014204a8ff8214787350a

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Crashpad/settings.dat

MD5 4b41daf56cd198aeee5b1ed3f9fc01cb
SHA1 886a363d99782441fc78d7cb8a14906a023ada89
SHA256 9e80ad347df93136c91cb3cd20f71b22cabb473a417cc2dfd4cd3f9ce4311c84
SHA512 6c776f4674e8f42596af20604c09065811815f9ecc7b6fac9b01cbc010a7b93e01fc8ff2278294f70a22a58810113055d321d4aaf723b378404f585506b9e66e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/.com.google.Chrome.M0QYJz

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:42

Platform

android-x64-arm64-20220310-en

Max time kernel

600539s

Max time network

168s

Command Line

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.42:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.8:443 tcp

Files

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 d3dffc453a8761be6d45825a501ad430
SHA1 75d1529a3425c7e49aa67d90f751e3a78b66e359
SHA256 60ef60157445a623636d55e81347a2f0fc322a1c8d98a0421f269330e6401734
SHA512 04c5031249a9db1074f413de9b910236af5d86b5893a7388627e8e72baf05b20ab029c4c215b4aa5e4c4133c64f24527f2d6e246e6fbe11c7c4d1de6956f11e6

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/CLgH.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/webview_data.lock

MD5 fc7866dba0aeab137b3402fc9ec3358d
SHA1 571f9bd6787b0304323f927bbcb63c3331754979
SHA256 0dc96746ac8e101f841b9359193fb93198d8a956b8fcaa34952a7a9a243b56b4
SHA512 17782f422e6be0c0b27fcaf492f0d6ba19c59c27f1d1a51eeac13c11d2b8b1cead0f38b814fcd261d3299f73f60ddb3e440b04f3ac8ce7813d96498f4ea7be43

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Default/Web Data-journal

MD5 7fdd9be6e3b7178b3755a706f8a6d9fb
SHA1 5ae2ffee38cea0e8c9182bb8db3ce1ad0f0d4540
SHA256 d63183650c3b1c18489a8260a6d8399aa63fd751a2b695becc2a23a001558187
SHA512 ef834273534360ede87c93dbecccd3198bbfea3b9f5e3f9a4ae14cddeca85bdcc288873de0e49183165ed12fb9b1719a2738de3a918e14dc389b04a899db8fa1

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/Default/GPUCache/index-dir/temp-index

MD5 464c9a2a79b08984e179ca7e9354acd8
SHA1 90b5e9b737f670e10066921ac46f71a98af83827
SHA256 054c8be8bd732dec7b3d8c8207fcfb3a710281e2c9111238c395f8349b188232
SHA512 71417d69614b2cd6a1eaf987462c21e2e62389e72a39c03759e4b54ed5b661383c9776c05f1bcabd66d73771e8d5d46641bed5e716b552a86db6c106efb3ecf7

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 88df2f4fcd13fb2d17ea8528bc367c76
SHA1 a4b61f35270d5888211898ec7a0c504d1377aba5
SHA256 ad17cdcd53df7b51224cec86c54742f9e9be7ee17dc7d51cb95440ac57b41ba9
SHA512 07a416cf9841a35abac86a82b4ca77f7818dea7eb3c280dd7bb6765afc8a7c6016db5eb50e0b8f83897319d0ac3c269cba6c70b8c116c839dfb345859a484fa2

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 7c8a127e93639ed516b8f44856d4fe22
SHA1 a3f40a0d35bfb3a2dcf635f785705a7f47f90eec
SHA256 93a830c697dc4a8d8fcab3985d2b6d3ec2e1164f5faac00f9d3138675f7f045b
SHA512 58d31806e1188c8136cadf53cafaa828da98f1686255ad947299791e7dd8af16bd645076d9a3f736f819d1ec00f6b144df43f893b58c8185fe827105e3f47fdf

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/cache/WebView/Crashpad/settings.dat

MD5 b98d21bcda6508cc3e4e74163674e635
SHA1 ddbcc9ec917b2e84b016fa04fd73db0470f725b5
SHA256 4b4fe7cead2fedf2f8802a2133d32a69cdc11931f6551ad18573450b8961bf6f
SHA512 f9025503734d13234a9b7334a8cdf8eeb8b640eb538ab93c00deeda1833001f1b9fd116213ac192d1911aafd4154d271d8c7276438a0c94bbb9591bcb36f5080

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_webview/.com.google.Chrome.gJ1wnD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:42

Platform

android-x86-arm-20220310-en

Max time kernel

604156s

Max time network

165s

Command Line

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A
N/A /data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/x86/CLgH.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 172.217.168.238:443 tcp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp
NL 142.250.179.138:80 play.googleapis.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:853 tcp
NL 142.251.39.106:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 142.250.157.188:443 tcp
US 1.1.1.1:853 tcp
US 64.233.171.188:5228 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.10:80 tcp
NL 142.251.36.36:80 tcp
NL 142.250.179.163:443 tcp
NL 142.250.179.163:443 tcp
NL 172.217.168.202:80 tcp
NL 172.217.168.227:80 connectivitycheck.gstatic.com tcp
NL 216.58.214.4:443 tcp
NL 142.251.36.3:443 tcp
NL 142.251.36.35:80 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.202:443 tcp
NL 142.251.36.42:443 tcp
NL 142.251.36.10:443 tcp
NL 142.250.179.163:443 tcp
NL 142.250.179.163:443 tcp
NL 142.251.36.42:443 tcp
NL 142.250.179.202:443 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 d3dffc453a8761be6d45825a501ad430
SHA1 75d1529a3425c7e49aa67d90f751e3a78b66e359
SHA256 60ef60157445a623636d55e81347a2f0fc322a1c8d98a0421f269330e6401734
SHA512 04c5031249a9db1074f413de9b910236af5d86b5893a7388627e8e72baf05b20ab029c4c215b4aa5e4c4133c64f24527f2d6e246e6fbe11c7c4d1de6956f11e6

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/x86/CLgH.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/x86/CLgH.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 b6dc5b2f98e5c26b494e6b5d21900dc7
SHA1 1aeeab5f0e028e536e9f34a9711c27e8c26cbdba
SHA256 058b5927de385c9daa9ef67731dd912e9ae4265b43ca676872e18db9aed3f228
SHA512 8b9928b5ad1a44f8bebe593f0fd12bf46a457a0a2d20afd2b73013528df1f901ca07190a71ab4739afaf63db6c9c39c9f10c277609385c5395c4dfdeebcf351c

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/CLgH.json

MD5 5c1adda056dbad9805c14dc3a38b6879
SHA1 5126d1deceaff66e49d08fee7ff54b145f46bdfc
SHA256 e2215e492b19617f741c7dc4e5b8e25523579aee5564e37b33b8430a4e7068f9
SHA512 1071660c03b6e27cb786acc461694f776869bab4bc9478dc40ecb0ad29b3460a0dc9e4946d84872f0ee03e127e5ae33d200402980fb6adc7893721231f399da5

/data/user/0/njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu/app_DynamicOptDex/oat/CLgH.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e