Malware Analysis Report

2024-10-19 11:58

Sample ID 240306-phktbaae6y
Target b7638ff22370a672f8da8ce79d5da97b
SHA256 34285952e2dc998f9e94dc41228c6b74c3777b403e57fc239a362cc1e4e7cb71
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34285952e2dc998f9e94dc41228c6b74c3777b403e57fc239a362cc1e4e7cb71

Threat Level: Known bad

The file b7638ff22370a672f8da8ce79d5da97b was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 12:19

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 12:19

Reported

2024-03-06 12:22

Platform

android-x86-arm-20240221-en

Max time kernel

63s

Max time network

130s

Command Line

easy.cigar.stock

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json N/A N/A
N/A /data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json N/A N/A
N/A /data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

easy.cigar.stock

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/easy.cigar.stock/app_DynamicOptDex/oat/x86/lKY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp

Files

/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

MD5 88170bc0d7becd86b0770011de000abb
SHA1 50595bdf1ab5d60a10be3992cf7df0177dbb1447
SHA256 0c78ecf78f67a565d2e051430bbd9000f7ef6ece1ba4c722c12021be2adcd771
SHA512 7a9c68fa5191ac7c861c92003691429f08e8b11d21e702bbc31d71e2f513712c8f1def2140e257d32d49211bd96cedf12a2cd1e325d1dd7992ff8099f70d93b3

/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

MD5 6c9c0926ed81b3109379fb9ff9fd0b72
SHA1 cefff7b4c73a8aaac1af8d9d3bcdb12111ef7530
SHA256 f2c723b899d3e427e53fe1f8fa1559a80c965e9a577a160ac7c0e02cdb67cba9
SHA512 6bb163fad2cd5b64579ea114a02da355d690901b73cb46d6710f846eae3830229d6b182320076ec46f12f1244665411dc5dbb4b08341f760386b71582f0efe32

/data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json

MD5 78b77b64cf1389ef7c5fa5c862967139
SHA1 4123fe811c507b20f06a12a1d10416a09fa55078
SHA256 1648ee85b0561a8703bc047dd5ba5ebd4d43e5233f6b9ccc9b2168ff9926a767
SHA512 fec2bc63b828a96b6275b6e8b4280e6391eadce91264800d2ad26fa04b4ef7c61bb98619d2a691f8307996a2b44749cba1b9c3173de31dbb12ed7bfa813222ad

/data/data/easy.cigar.stock/app_DynamicOptDex/oat/lKY.json.cur.prof

MD5 dc5bcefee7fd1edd8dc753108da8a2b5
SHA1 63fed5104b5054c106283f1155651b58ad845367
SHA256 7844a30df13f899fc112b65dccab4e5a5d5864dee5ad02902ac970b0b9bc4e5b
SHA512 563fb4e644c6fc1d0a5d7dcb8b32b57f471d94ee816486a26870630bc7e21fe7f983aa408216243e1a4d4ec4ce87119697b9fc0f4428da291a81e9f73b04fc1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 12:19

Reported

2024-03-06 12:22

Platform

android-x64-20240221-en

Max time kernel

61s

Max time network

153s

Command Line

easy.cigar.stock

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json N/A N/A
N/A /data/user/0/easy.cigar.stock/app_DynamicOptDex/lKY.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

easy.cigar.stock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 denemeamaciyla.tk udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp
GB 142.250.178.14:443 tcp
GB 216.58.212.226:443 tcp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp
US 1.1.1.1:53 denemeamaciyla.tk udp

Files

/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

MD5 88170bc0d7becd86b0770011de000abb
SHA1 50595bdf1ab5d60a10be3992cf7df0177dbb1447
SHA256 0c78ecf78f67a565d2e051430bbd9000f7ef6ece1ba4c722c12021be2adcd771
SHA512 7a9c68fa5191ac7c861c92003691429f08e8b11d21e702bbc31d71e2f513712c8f1def2140e257d32d49211bd96cedf12a2cd1e325d1dd7992ff8099f70d93b3

/data/data/easy.cigar.stock/app_DynamicOptDex/lKY.json

MD5 6c9c0926ed81b3109379fb9ff9fd0b72
SHA1 cefff7b4c73a8aaac1af8d9d3bcdb12111ef7530
SHA256 f2c723b899d3e427e53fe1f8fa1559a80c965e9a577a160ac7c0e02cdb67cba9
SHA512 6bb163fad2cd5b64579ea114a02da355d690901b73cb46d6710f846eae3830229d6b182320076ec46f12f1244665411dc5dbb4b08341f760386b71582f0efe32

/data/data/easy.cigar.stock/app_DynamicOptDex/oat/lKY.json.cur.prof

MD5 dc9d07db1568e33faf61030d28742f9f
SHA1 b087cb5b0dd89d924c17e4b81b457b25564b940e
SHA256 25c3fdd3fa1baf8bfddaa1f97ac24acefca83adddc803d36fa4cefaedcd0efe0
SHA512 cb12b934d1e2152995d411e36e47122514fe85d7361a2b6f80b9a8cbbfc76cc630e6f923183552100070a34e76c125dcd8da2cfc2f0e458318036415e5c161c0

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-06 12:19

Reported

2024-03-06 12:19

Platform

android-x64-arm64-20240221-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A