Malware Analysis Report

2024-10-19 11:58

Sample ID 240305-c4hvmada85
Target b38ee435659ea011ca2f32d18ad4d393
SHA256 dfc2e8bb0c4e510da768aa76c89c1b0bb150454d9ad64a66effeea5e7996b290
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfc2e8bb0c4e510da768aa76c89c1b0bb150454d9ad64a66effeea5e7996b290

Threat Level: Known bad

The file b38ee435659ea011ca2f32d18ad4d393 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 02:37

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 02:37

Reported

2024-03-05 02:40

Platform

android-x86-arm-20240221-en

Max time kernel

146s

Max time network

158s

Command Line

high.actress.journey

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

high.actress.journey

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/high.actress.journey/app_DynamicOptDex/oat/x86/ZTqtmk.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 besdirindabe100.xyz udp

Files

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 7f56d9fa24fcf3a5641b7994cc96e4eb
SHA1 87550c09805d84b62d0508f56ac2e3e7ba54d008
SHA256 7f6e24a1c75e48c57cc2a719aff0bb4495992f24d71c266a1ec09f36e39c7ee9
SHA512 9015290d484d558d115d3d7f37385a9d59d53d8f0f23852319b0ba4110b309106309ca54eb22018ca3671c1aed8695806d4dce9050c1f3e1087b3411a0f22917

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 b2c94ea5ef5a5376137b34bd7600b34b
SHA1 71165b68a932b8c8a41334b7f7b8d62f5e2a8de9
SHA256 fc71d8f0a446e4510e86ab26578ae48d10733576e3fb3402c44e10b0e95b230c
SHA512 7e470560707006bd65def44f527022e0eddd8fc4cb658508e70307b1387686d202eb72fadf59dfb25deb038a9606508de993045a480d9dea9669bb19eaae2dcf

/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 d7eea2604096e6ac25c74c0b9d40b140
SHA1 d0d4f9bb66e372b9d0fa83f3bbea83d4cc9a9bd3
SHA256 5b8eadce9f1ee39731fb12159d4f867e9598c4eaf09fd3ccdc288fbe3b0d1643
SHA512 7b877be9c4154d1a6d36056fea4b6719dd86f1040b6391d517c637514f62108a417155f5d3d6ba35183892e241831e33899e13320cdbadf8b7edde2fba2a5377

/data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 0e2a99b4e03d7b0875d3f77d1be9bef3
SHA1 9de4e0c281d9fce6244b2e1756cf77437edb4c06
SHA256 4cfa2ae1c947c059ce055775b8ca6a1c1de1a1ea26bb8c8fe90972072de55cb9
SHA512 3b5ee45a695f2fc813059e98ac1b88f7f7063dbe5e68255724682b1051256d30334bc4ab6a25112cb4d811c6850fc4f1ed671dbc06f48749965caca1ddf37e3d

/data/data/high.actress.journey/app_DynamicOptDex/oat/ZTqtmk.json.cur.prof

MD5 9175aa620c57bb40b34bdaf23c2cce8f
SHA1 64818919056763573e1940e13c41461cc5bd749f
SHA256 6d8271ab53e51121f45f7a0a4aeaad7731fb2625a3fd4cbdf06fda0aeaff95cb
SHA512 0e874e4e8b35147086a1bc1118ac02b997f3eeb9339b6189fd7d5ddf1f3315a2c80c13496073dedc012425ccdcc6e89ef24f6d42a816ddf24411f797923e92fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 02:37

Reported

2024-03-05 02:40

Platform

android-x64-20240221-en

Max time kernel

52s

Max time network

152s

Command Line

high.actress.journey

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

high.actress.journey

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 besdirindabe100.xyz udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 7f56d9fa24fcf3a5641b7994cc96e4eb
SHA1 87550c09805d84b62d0508f56ac2e3e7ba54d008
SHA256 7f6e24a1c75e48c57cc2a719aff0bb4495992f24d71c266a1ec09f36e39c7ee9
SHA512 9015290d484d558d115d3d7f37385a9d59d53d8f0f23852319b0ba4110b309106309ca54eb22018ca3671c1aed8695806d4dce9050c1f3e1087b3411a0f22917

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 d7eea2604096e6ac25c74c0b9d40b140
SHA1 d0d4f9bb66e372b9d0fa83f3bbea83d4cc9a9bd3
SHA256 5b8eadce9f1ee39731fb12159d4f867e9598c4eaf09fd3ccdc288fbe3b0d1643
SHA512 7b877be9c4154d1a6d36056fea4b6719dd86f1040b6391d517c637514f62108a417155f5d3d6ba35183892e241831e33899e13320cdbadf8b7edde2fba2a5377

/data/data/high.actress.journey/app_DynamicOptDex/oat/ZTqtmk.json.cur.prof

MD5 e4d84bd22b5e74f4e783243b279ff38b
SHA1 2378dd9b313186ff002a0f7240cc8954ee227d44
SHA256 1c42eca06cbac133257ea55fbfdeb568bd812549ad6474d282678d1e52618cee
SHA512 f7aabded8b1297c86c83e3a21187c73f2f0d19c45f0c1b205908ef1c805314e5f11f5c17b78c5115fa51df2b80993fc5a6732e75e55c439f719f4ad0a89d89e6

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-05 02:37

Reported

2024-03-05 02:40

Platform

android-x64-arm64-20240221-en

Max time kernel

68s

Max time network

141s

Command Line

high.actress.journey

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/user/0/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A
N/A /data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

high.actress.journey

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 besdirindabe100.xyz udp

Files

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 7f56d9fa24fcf3a5641b7994cc96e4eb
SHA1 87550c09805d84b62d0508f56ac2e3e7ba54d008
SHA256 7f6e24a1c75e48c57cc2a719aff0bb4495992f24d71c266a1ec09f36e39c7ee9
SHA512 9015290d484d558d115d3d7f37385a9d59d53d8f0f23852319b0ba4110b309106309ca54eb22018ca3671c1aed8695806d4dce9050c1f3e1087b3411a0f22917

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 d7eea2604096e6ac25c74c0b9d40b140
SHA1 d0d4f9bb66e372b9d0fa83f3bbea83d4cc9a9bd3
SHA256 5b8eadce9f1ee39731fb12159d4f867e9598c4eaf09fd3ccdc288fbe3b0d1643
SHA512 7b877be9c4154d1a6d36056fea4b6719dd86f1040b6391d517c637514f62108a417155f5d3d6ba35183892e241831e33899e13320cdbadf8b7edde2fba2a5377

/data/data/high.actress.journey/app_DynamicOptDex/oat/ZTqtmk.json.cur.prof

MD5 f36f10e4ea8e313b7a3af7727af14313
SHA1 ca65fdf59f60daf744fb42c3d6a306ba714c4612
SHA256 294a0e81c96bd5a348daff40056867d16ebe805a3082f3ee6784a1534178a5fb
SHA512 9c45dfede75f2858cff5be07e4fc9cb91dc577e1160743ea46f903a854ec37d7aa0132fc4c0731258c39633ec0cd11bec11961b0dc3b8b7ac2f1a71591a9d27f

/data/data/high.actress.journey/app_DynamicOptDex/ZTqtmk.json

MD5 0abaa0fae6bcc694ec59ae44512ee170
SHA1 14d4ff619544a99bdbde9aa49f413ccd26264d7e
SHA256 3ce6d4b01bc342c17cd04334830906d0e92b30ae9e292f56f29399427c0f4475
SHA512 07bae221d6221b2b491c68552d257a2bed31789b66454990030f70c5cd9ff318c13c0595f5570ce68e8bac82ce4693aa2aa7493c612a231f7363775d4968c3f1