Malware Analysis Report

2024-10-19 11:58

Sample ID 240305-lysbjsch73
Target b46a0305dfbcb341dad439a88cd67c56
SHA256 29149f72818601df2e9df222a3167c832e9c4caf0d9e9c281889336200d68dd7
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29149f72818601df2e9df222a3167c832e9c4caf0d9e9c281889336200d68dd7

Threat Level: Known bad

The file b46a0305dfbcb341dad439a88cd67c56 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 09:56

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 09:56

Reported

2024-03-05 09:59

Platform

android-x86-arm-20240221-en

Max time kernel

146s

Max time network

154s

Command Line

raven.tenant.forum

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

raven.tenant.forum

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/raven.tenant.forum/app_DynamicOptDex/oat/x86/rWQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ratrentalservice.com udp

Files

/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 d03fead3b34e2fc98d5e1f86a53eb5c3
SHA1 6d8a9a7939c518ffde2528a42e9e37a816dc41d6
SHA256 58c75abc38546efd7237941d1c9732fe6c65dfd56852eb2cb633f22859203a46
SHA512 4921f1bdf7f20ad63f00f7e38dd97f30c6e3c9d59d7a41fc3fa848f0d48aaff048c5f1e104e2fbec7f0307fedb000e0920e604859bf8ef55d652ef224e1d9702

/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 83de487436714916327ad33fc2ffa7cb
SHA1 478b1a093824c40e7dc5f6b88650d06cf2362d4b
SHA256 e8977f529770998108569031f4a93513de6aa2426963d6cd9c2643d7bd420aae
SHA512 f41f063c637689ba1514b25a102a92292f21db3211c2fd102a4549fbe9c8c990d95e7f5ca55b29ab62a1eea26f7f7c4d9e1571ec9b2671af69b7b3f077ca4491

/data/data/raven.tenant.forum/app_DynamicOptDex/oat/rWQ.json.cur.prof

MD5 8a8d0d7e7972ff6b5883ac369ead666b
SHA1 e1a97724c5b7c9bb624dcad44a67dd47601adabd
SHA256 bf10875c0132af68d484852f63935708a8f0c8f0ceb9e54558f22967624fcb80
SHA512 158c15aa904188c621cde6053b3729bcb0daed814cab633dd9b8d587e7138f8836f946e8ed9c7551c04e4d5139b759a8551d0279205c40311c0c112e92e9c7f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 09:56

Reported

2024-03-05 09:59

Platform

android-x64-20240221-en

Max time kernel

49s

Max time network

152s

Command Line

raven.tenant.forum

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

raven.tenant.forum

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ratrentalservice.com udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 172.217.169.66:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 3f39379292e5fc636eb29371ba013bd2
SHA1 091c69d1fda980b18ea7c2a413ddde7ec5854137
SHA256 8982186196bcc0a336386d27d4c3de1c3e43b10aad0fecbecd706160b9cbd117
SHA512 67f7e0e44c53ce9dff01f0be087b508a3f7f25761e1c23b5e61acbfc8b9c32d4625c552a1c72d2fc10e805179028eabf0fb7871246086ecca685d717ef0476f9

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 d03fead3b34e2fc98d5e1f86a53eb5c3
SHA1 6d8a9a7939c518ffde2528a42e9e37a816dc41d6
SHA256 58c75abc38546efd7237941d1c9732fe6c65dfd56852eb2cb633f22859203a46
SHA512 4921f1bdf7f20ad63f00f7e38dd97f30c6e3c9d59d7a41fc3fa848f0d48aaff048c5f1e104e2fbec7f0307fedb000e0920e604859bf8ef55d652ef224e1d9702

/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 1a8515e064b6a4257cbcf4fb7a18293f
SHA1 f0b2b92667538b35d6fe26326d785b71eef606c9
SHA256 b62bd5c645b1b6313a4782454532a1a7c86907bff5dbda6f43653bbb3644bbf7
SHA512 f1b6ec38e6b6748072918fa82f6ca22b7fcb3b82fef837fd63e7f882e8187391cd663265b7ed2da158b9f86e91dc0704817aeb4f4b4625200563d67750bb0efc

/data/data/raven.tenant.forum/app_DynamicOptDex/oat/rWQ.json.cur.prof

MD5 c491bc55e7af62a9b80b85cbfe8eb007
SHA1 559e6ea8d09e8b4dd3d61132d17dcbdb73ea7e66
SHA256 8748214b8ff5937ebc41fc3e5b9056b1905d7ace4cf296bb283848c390e43a8d
SHA512 bea1106d5f8f780fac1e131e60821d063c368aac17d8f4375d1273c811b435fc4da42de092374075dfe8ce1b38ba8ef00cf52bb89777ed85f55e59b7333dbb8c

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-05 09:56

Reported

2024-03-05 09:57

Platform

android-x64-arm64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A