Malware Analysis Report

2025-01-19 05:14

Sample ID 220603-g7sw8affam
Target 484F6862473B96487B7D2CB1079DF512403ED48AB25ADF6AA3738FB39ACC625B.apk
SHA256 484f6862473b96487b7d2cb1079df512403ed48ab25adf6aa3738fb39acc625b
Tags
cerberus banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

484f6862473b96487b7d2cb1079df512403ed48ab25adf6aa3738fb39acc625b

Threat Level: Known bad

The file 484F6862473B96487B7D2CB1079DF512403ED48AB25ADF6AA3738FB39ACC625B.apk was found to be: Known bad.

Malicious Activity Summary

cerberus banker evasion infostealer rat trojan

Cerberus

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Removes a system notification.

Listens for changes in the sensor environment (might be used to detect emulation).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-03 06:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-03 06:27

Reported

2022-06-03 07:01

Platform

android-x86-arm-20220310-en

Max time kernel

677250s

Max time network

153s

Command Line

com.ygmdflerbfvl.tbistzkei

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar N/A N/A
N/A /data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ygmdflerbfvl.tbistzkei

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/x86/fsdcqjklz.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
NL 172.217.168.238:443 tcp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.42:443 semanticlocation-pa.googleapis.com tcp
NL 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
NL 172.217.168.227:80 tcp
US 1.1.1.1:853 tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 alt4-mtalk.google.com udp
US 142.250.157.188:5228 alt4-mtalk.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 23.2.163.242:443 tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 lcnpro.net udp
NL 142.250.179.202:80 www.googleapis.com tcp
NL 142.251.36.4:443 tcp
NL 142.250.179.163:443 tcp
NL 142.250.179.163:443 tcp
NL 142.251.36.3:443 tcp
NL 172.217.168.227:80 connectivitycheck.gstatic.com tcp
NL 142.251.36.3:443 tcp
NL 142.250.179.163:443 tcp
NL 142.250.179.163:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 172.217.168.238:443 tcp

Files

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 d45bf00bb6e9b4d8b7d1658b446dcdf8
SHA1 513af094a9b41ec93176dfc22736b35eedd16b57
SHA256 d333fe24ab64cffce489cf149fc1127b91f3662a406ea7555b9e91fda486ab1f
SHA512 2fa44792c862740d1e3389c819a08f87066c4b77d7de4de2c5bdc956c62211f5abd85a6a234e10dd9c029cb91dc4769a1250d1669591ef1438108cbcf00621ce

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/x86/fsdcqjklz.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/x86/fsdcqjklz.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 08ccc2e2df5b4113f18c8adca75efc64
SHA1 4b3d9853b909f92268f135133084b539da258d5c
SHA256 802ff9fe8616b77cfd5ade32de49928816a35376340562bc1d90a4dcd1fcb443
SHA512 1c7d9feee736b8e5563b02aa741651cf2a23b41dc7b3a0c7d388a81b99c41c3b0c074af8e0eec38258a2a0d8aac7d9676d7ff11a7ccd8f3e9a98c00a7335aa5c

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 4455c8475a4df2dd495574913b9a8ac6
SHA1 9914e63baacfece99a56ae088075ec4c7fc7d8a0
SHA256 89daf9ec891b28446e9665181da9344ace578e945dd2d873ba9fe55b88adafb5
SHA512 b1a3af1ebebfdc31ff68fc215a73b16d83ab3f1b6e029e3922be3d2e2dddd0e5979d297d7626012481a2581618d0f063ecf6541f5e72f082a182f5d507f9eef4

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/fsdcqjklz.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Web Data-journal

MD5 791a02e6636cd7454ed2bade727ce9ef
SHA1 c2832a5c47728fee83824a9b91b591c2cc498f22
SHA256 ed8276c39aa2307af61e69f13d772f7e0c6c47da9cb9ea5a8dbaa57f697b7d3b
SHA512 dec2763424179210266108a542b915390a0a9df8eea96fb6fa0afb616635d20a7af19529d67f36d0a7bbcbd93b1392194fb63a4a735677cd1f17e286669ea5bb

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/metrics_guid

MD5 008c3ce0213c86dac3c9188722033f1d
SHA1 b99c59972481872ef75b1cd3cdb3fdbcc45cafe3
SHA256 63f313c166f1dd807579aa647739c8ed004f1889620709a1d4560a9a84174941
SHA512 8d2a271b75a38ab9581d99866bf6d63484f5dcb908a7edf57970ca681ee4ee6d8570c9ba4aa59292b2c20d1addcc5853ab81232402bc5394f1273f08ce5a96bf

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/GPUCache/index-dir/temp-index

MD5 07ac4e8d2bf0e81c046393995bb2089e
SHA1 d14c2045e68b025fc318a11e19f305d24b563574
SHA256 bd696c30c9ebd5385ae2838968360c4a103d89b42b44b45e3bcd8856cee5b495
SHA512 e7d1ed6f5882705052a9cefd80d6bfd274f5b684263fda31ab9a12fd1d0416488fdc32b03635445e74c14067d1d7d30a92935af370bb4aafb91e4472d2f5009a

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-03 06:27

Reported

2022-06-03 06:53

Platform

android-x64-20220310-en

Max time kernel

676758s

Max time network

176s

Command Line

com.ygmdflerbfvl.tbistzkei

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ygmdflerbfvl.tbistzkei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
NL 216.58.208.106:443 tcp
NL 142.250.179.131:443 tcp
NL 172.217.168.234:443 tcp
NL 216.58.214.10:443 tcp
NL 142.251.39.104:443 tcp
NL 216.58.214.10:443 tcp
NL 142.250.179.202:443 tcp
NL 142.250.179.202:443 tcp
NL 142.250.179.202:443 tcp
US 108.177.119.188:5228 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.136:443 tcp

Files

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 d45bf00bb6e9b4d8b7d1658b446dcdf8
SHA1 513af094a9b41ec93176dfc22736b35eedd16b57
SHA256 d333fe24ab64cffce489cf149fc1127b91f3662a406ea7555b9e91fda486ab1f
SHA512 2fa44792c862740d1e3389c819a08f87066c4b77d7de4de2c5bdc956c62211f5abd85a6a234e10dd9c029cb91dc4769a1250d1669591ef1438108cbcf00621ce

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 08ccc2e2df5b4113f18c8adca75efc64
SHA1 4b3d9853b909f92268f135133084b539da258d5c
SHA256 802ff9fe8616b77cfd5ade32de49928816a35376340562bc1d90a4dcd1fcb443
SHA512 1c7d9feee736b8e5563b02aa741651cf2a23b41dc7b3a0c7d388a81b99c41c3b0c074af8e0eec38258a2a0d8aac7d9676d7ff11a7ccd8f3e9a98c00a7335aa5c

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/fsdcqjklz.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/metrics_guid

MD5 063eb5383673d35ad83e6ede5d66dde7
SHA1 9283df386a8cbeead1c52586f1bfaf7ef7bf541e
SHA256 057835b7ce88c37fd2ffeeab6fbaf0bce0e0ceff63e87cbabc2b8f5b1e7afa7b
SHA512 357d3852b3d3b7935cc62219d0fd1802e53d2c6e03b7358da550866efdef92db8c0d8b7eff69665af88ad7eaf479e166c3891dceeb63c4e062b4a288cf017c4d

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Web Data-journal

MD5 11f99caa907ae849459fb1930ba5b521
SHA1 7f193aa625c8d543b5141ca840373f9b6413114c
SHA256 b2f1b581f1992d0f4b61aa5cef32b72e5dcdca21a2805ac744ef88d7115b5126
SHA512 76867155b12cbfaf09944dbe4af687edc8d110b50c36a9509813a95dad71c6ca2d5df509d3eb533b9602f4d74b9ae855efa51650effc6247fc4956f4a15b1f20

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 098e25299d3e88969da4ad0a4978b70a
SHA1 e45f33aef9aa188ce90feaabca86a7586d806ce3
SHA256 a9da61adb6619085fec457e1e95802c1e8be2a6c189a13ad71e677b72a847075
SHA512 a19c0e9242ea666e955ceb6375aba3d316fbb6e03a954fc309636323b03aca6fea9d10bb3350fb38dc503698019c053f7fa5ddbf2fb310d53d63c011c1ba235c

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/GPUCache/index-dir/temp-index

MD5 5335971a3b34b40e46cca9c4ed5298c1
SHA1 1d6ceaac6e3b6689cbff1751c86a6fc971e976c0
SHA256 9b8442448320df36fdff15c67bcecc36fb2786db27cf1cda7372e54fa2b54be3
SHA512 84e2fe280aa3e1779750386136413ab35e6bc3a0406eac06889ce54b55e05af1e3ce637af480aa49c78d1a5139ca7c8543677e673d616813f890ea9024f6f3cc

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Crashpad/settings.dat

MD5 3087f511bae979f8a007b3510d4b308e
SHA1 42daa1e1d42efd66654a04f23c65fa97d62b1059
SHA256 a6cf8cf34160a142ef8100066817db6d5b485c2cc05d302adc3503c21a0c9f8b
SHA512 46beae7a0d451762a64360d9fa5966a1b38878532e4ae9eaf1bfc492fc802172e796ffd192dde0ddcfec44d7985b2147a20863c1239d5d237587ace8fbb5d71f

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/.com.google.Chrome.qoIHla

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-03 06:27

Reported

2022-06-03 06:52

Platform

android-x64-arm64-20220310-en

Max time kernel

676715s

Max time network

170s

Command Line

com.ygmdflerbfvl.tbistzkei

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation).

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.ygmdflerbfvl.tbistzkei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 35.186.238.175:443 tcp
US 34.120.65.227:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.166:80 ad.doubleclick.net tcp
NL 142.250.179.136:443 tcp
US 1.1.1.1:853 tcp
NL 23.2.163.242:443 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp

Files

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 d45bf00bb6e9b4d8b7d1658b446dcdf8
SHA1 513af094a9b41ec93176dfc22736b35eedd16b57
SHA256 d333fe24ab64cffce489cf149fc1127b91f3662a406ea7555b9e91fda486ab1f
SHA512 2fa44792c862740d1e3389c819a08f87066c4b77d7de4de2c5bdc956c62211f5abd85a6a234e10dd9c029cb91dc4769a1250d1669591ef1438108cbcf00621ce

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/fsdcqjklz.jar

MD5 08ccc2e2df5b4113f18c8adca75efc64
SHA1 4b3d9853b909f92268f135133084b539da258d5c
SHA256 802ff9fe8616b77cfd5ade32de49928816a35376340562bc1d90a4dcd1fcb443
SHA512 1c7d9feee736b8e5563b02aa741651cf2a23b41dc7b3a0c7d388a81b99c41c3b0c074af8e0eec38258a2a0d8aac7d9676d7ff11a7ccd8f3e9a98c00a7335aa5c

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_offline/oat/fsdcqjklz.jar.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.ygmdflerbfvl.tbistzkei/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/webview_data.lock

MD5 4f778bbbbd13f447f0f33cf3316cd05d
SHA1 a47f36e10eb624130c5f8b3561469e1934bde60a
SHA256 51348e6955e1efa025618013b036c42ff92ec395a761692a439a97fe44221f5a
SHA512 fa14daf4bd3785a9423f71e532b14e2d286703e433c28f5c25fed622e3131b553cbccfcd49b32df955984b9c83dcb172590632f8d42b129896306fdf2de67991

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Default/Web Data-journal

MD5 e5bad4166f9f6629190c2e1e31061892
SHA1 b84c78f60be40712d2794f76df3d7140ed0b7a94
SHA256 15da66a0ec995fcf531b216500bc0c0fb102483f2a9cbc0f52e39440176a96e5
SHA512 17fa6468377a43029e211cb1c2121c212e65874fb8386bb19d4c15977c2b2d3444dba922f6049a78399ad00b91fe3bc56b0c9f4178220082a710d28af528d0c9

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/Default/GPUCache/index-dir/temp-index

MD5 cccb6c9cea2e80a2a3283ae81f28f8a5
SHA1 1479a20b391550f69204d25446d7ea167b057d07
SHA256 0f8204eba6c9d310872fcb32d34c46a7f67da7d980948a11c9d9a3b28da157e4
SHA512 fc1b12a64dda7e7c15be6965cdee1ce36da719e4166993a956755564e3fe23f5cad7f0d4f1afdc8fef2f563bfe119cff51b3097501346736922e3ec6e20772a7

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 94ec6925675ded13f96e9a90df7289d7
SHA1 b742b71b2154de396a96e50390aebeb2d578eaf8
SHA256 49e1e3ee844603204d982e640289a978df26623517472e5ffdfaf3b12f023e18
SHA512 1ce83a933e9392d0db42bd5ce974b94c225ecf00d4a3ed8082c3b7d3ca9046407dcd13fc85bd7fa1ae6f0f5027275759e8ffe578805bd736177220db1d02f405

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 e0cbaab633364dd87ec420783ca5e824
SHA1 f7549838de28e2d136b3aa3dd5c11325a4723ad8
SHA256 8b9c40acf16b4b09c99e73700f2de75b600a4441ee2602f563fad359cd842145
SHA512 3179712b2d46ed913bb49987afc33b520c9e44324c67ce48b1c4f5282f2a50fb3c80ae2bc64b9bde1e35d5e56b9a9566dc85a01bca54b6a6d09f4a8239a68efd

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.ygmdflerbfvl.tbistzkei/cache/WebView/Crashpad/settings.dat

MD5 b4970f48a12fe15ca30f4c317bdb1f24
SHA1 20282a13701eaea090c0ec82cb33edc3fa0f2b93
SHA256 5ec804d46b4e4a7383d191117108fbc2aa74ac92711a833ce307076bdee21d0c
SHA512 028b2f4ecbd10a431b3afdf512f6fa227d595bc6354000d857bd19cad3c6168f71322988769ed26801ddc26f9b0c3ed372a5ae23788cb67ba658f0c1d775456a

/data/user/0/com.ygmdflerbfvl.tbistzkei/app_webview/.com.google.Chrome.Mo6mkQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e