Malware Analysis Report

2025-01-19 05:14

Sample ID 220602-lmwjtsegf8
Target 2B43AF46398ECE7B9E1E41BB7C2E2FF3EC227EDB38283BEA7622115BB76A7823.apk
SHA256 2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823

Threat Level: Known bad

The file 2B43AF46398ECE7B9E1E41BB7C2E2FF3EC227EDB38283BEA7622115BB76A7823.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-02 09:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:42

Platform

android-x86-arm-20220310-en

Max time kernel

600527s

Max time network

108s

Command Line

com.ytnfrar.rtom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ytnfrar.rtom

Network

Country Destination Domain Proto
NL 142.251.39.106:80 play.googleapis.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 64.233.171.188:5228 alt8-mtalk.google.com tcp
NL 172.217.168.227:80 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.174:443 udp
US 1.1.1.1:53 alt1-mtalk.google.com udp
US 142.250.150.188:5228 alt1-mtalk.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.164:80 tcp
NL 142.251.36.36:80 tcp
NL 172.217.168.227:80 tcp
US 1.1.1.1:53 lanadelrey.top udp

Files

/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal

MD5 654c960c24702739b79921b171892e49
SHA1 e919da8119f951a9c139931246ee04c8dc2463ed
SHA256 799c703acd41d39006cf61a2b6ac3c19d555f6304bb61b0c986dff9459c08c61
SHA512 42cac057eaa461dff4a2636ff5b5effeb70f85850c18b11ab33dd736b7a256565b9c73ff12aceea4b4a177bba8fdc960c3e359da8b3b843c4ecbb0d1955dd8af

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 2488ac28cb4f5013ad12318de93ed92e
SHA1 26766285370c6bc798841216c0c7caa7da895925
SHA256 8dfe597f09b59f85d96e5472704fc0c8b79b23893c2b571993c37137b082d59e
SHA512 9af7ba79c00659fc48f1bb56dba6a6909d8c3ace300a4cadef443b5f4f62a5ebaeedc79e6bae47adc3bcd7e5a6d346d0fe9dc28497c2e63594b60b183d480fc5

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index

MD5 cfc459dc42e4567c3bd3ba330de53f25
SHA1 e73ceb1ceab1d4317509a9645f6716e17645bb5a
SHA256 6cc4d1d880bee17aee2b24ac85d6b559f45e4c8db1893c33312083a23066afef
SHA512 e27bf1b5065d0083a7123ad35c387ca7856ab85ccdb054f0990f7358ea537eabf99d94c1a1b994d92d779194d5aa97dbbf791382bf4274db628e2d512fdfac35

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:43

Platform

android-x64-20220310-en

Max time kernel

600583s

Max time network

182s

Command Line

com.ytnfrar.rtom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ytnfrar.rtom

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.168:443 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.168:443 tcp
NL 216.58.214.10:443 tcp
NL 172.217.168.202:443 tcp
NL 142.251.36.35:443 tcp
NL 172.217.168.234:443 tcp
NL 142.250.179.194:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 216.58.214.10:443 tcp

Files

/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid

MD5 46b551cf97754757936fe1543da87e8c
SHA1 195a4c64842a7e9a784d357f9a8c29d6004ec481
SHA256 31eab5149f5ff70fcaff333e24ec71b71ebb4ebd0954678d140df15c527f5f06
SHA512 32635ed7102d88063da89716e3c81f2a835627f417f63f47b83d7b553dcb00a2a6ea2f9cdbe56be22cdec344c6162e8be9cf4f50ef9a87f9e0f491c67e7c8964

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal

MD5 14f5705433a3c070790c179588becc81
SHA1 0ee99e55103588eb5b77b40b1279a2b16789222e
SHA256 61c29e2327403d457d160c609c6e026a554a06e4961c302bd5154940dc34cb36
SHA512 f68f53537b80fe375df368953b6e66007f8784e567e316197161b8c69322f891947d50f46d299f49fe984383524809edc00b83ea7624e7358c317cee2ad3d508

/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 5fe7d9617f681be5d45d4c0b32f8a325
SHA1 8e8101c60b7cb3708ab08aa4e858b0ed08eef1e3
SHA256 223e67744ae4f06778ac4e48a527e9fc0f9b30e6db5c1c85b87c6615d3242606
SHA512 9bc8398d23c7fac6c6426785aebf35d976212e473e4ddc4556bed45ab261a3c775a1ad6cc1bafd9fd3b0c33b069d65cb77e73383953bb1ab20661e0ceef4dfaa

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index

MD5 7419cf8aeabf90c1c6be92e63bf178dc
SHA1 ae0e5c42bc7736e85438c1616a64f2865f1f121e
SHA256 f002b5f9844e21e3261fc76fa1ddb9301a92f8700f5ae90e066fcfeb5de6f752
SHA512 a25ba856da92d957dd39624aeaaeaa3ee832d25e0b806d98b2b68fc93a71c77a345f0d3d58b92a90d6250e0b59d1127a8f75f70aabd16d151954b0f36d7bbf4a

/data/user/0/com.ytnfrar.rtom/cache/WebView/Crashpad/settings.dat

MD5 65561f6f8a2e22b8ceaac89106c455a4
SHA1 fc5354f6dd3dab84e7a6ba8984bf9fa36bb53586
SHA256 0b5713532c567afa9984df43025fd3f4eb9644af34d11a0346eb0f7b5fcbcdf4
SHA512 8d91ce1409cbf826599230e3e7493a4d342ab0292e2eabd76c28e0e9f2a1ca7afed36208a40d9f36f777bac167303ea0b211fa05435a4b154179496cdfeb8a74

/data/user/0/com.ytnfrar.rtom/app_webview/.com.google.Chrome.PVkKKr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-02 09:39

Reported

2022-06-02 09:39

Platform

android-x64-arm64-20220310-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A