Malware Analysis Report

2024-10-19 11:58

Sample ID 240306-zrmpdaac21
Target b82c32069c0a7bc7d8c01aca3d886558
SHA256 eeb5699423902d7422482cbbe30a025180155edb3aaeb625446e403c46f944f3
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eeb5699423902d7422482cbbe30a025180155edb3aaeb625446e403c46f944f3

Threat Level: Known bad

The file b82c32069c0a7bc7d8c01aca3d886558 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 20:57

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-06 20:57

Reported

2024-03-06 20:57

Platform

android-x64-arm64-20240221-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 20:57

Reported

2024-03-06 20:59

Platform

android-x86-arm-20240221-en

Max time kernel

53s

Max time network

133s

Command Line

among.caution.source

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/among.caution.source/app_DynamicOptDex/mYko.json N/A N/A
N/A /data/user/0/among.caution.source/app_DynamicOptDex/mYko.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

among.caution.source

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 178.18.251.169:80 178.18.251.169 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp

Files

/data/data/among.caution.source/app_DynamicOptDex/mYko.json

MD5 bec9b4f40d54b030b96ce154fa6d6136
SHA1 affe06c1e4815d5f60c775299ac2936658f78e3b
SHA256 f5f17b614fa3b009437893025f1400fb69611f24c291fd9977928fc307a04416
SHA512 dd0f5638fc147112ea11dc2588234797333287e0dc452ee08d685d7722bceabfbc4c672c1b7361a82fa59f0bb3efbcdfc9af319784ec30819ce1f0530345a5f0

/data/data/among.caution.source/app_DynamicOptDex/mYko.json

MD5 3ad737cb3d5112ea8b6370e18eb7107e
SHA1 d949dce9fb67db89b32cc17a647977c8b4616f24
SHA256 736ac24cd76fa729cc2af5f0a80c2b51b4b5572fa206eab049b029154e960779
SHA512 102925532853f7e892792f797675600d826e92140fb09455f199af2a6e8629b4bdcfc84cc36f7f462404662f401afdec8deada43e1326ca321986ffeb240cf3c

/data/data/among.caution.source/app_DynamicOptDex/oat/mYko.json.cur.prof

MD5 8e1fab269dfdfa078172277e343206ef
SHA1 dbffb44730d48b8383eeddf150ae63f6a93747d5
SHA256 f3000207cfbd0784ccebc7962482f2372a60786a7a9ae4b0ec239ec545f1fbef
SHA512 40fefb1ac086baf7a4e6b091f3b7adbb74756a73d1abce121d8def83b0db20aa5003881a3ef3d8a654068951ca3a23f81f6a7e65419c311c1d00eda965929ae9

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 20:57

Reported

2024-03-06 20:59

Platform

android-x64-20240221-en

Max time kernel

51s

Max time network

160s

Command Line

among.caution.source

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/among.caution.source/app_DynamicOptDex/mYko.json N/A N/A
N/A /data/user/0/among.caution.source/app_DynamicOptDex/mYko.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

among.caution.source

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
GB 142.250.187.238:443 tcp
GB 172.217.169.34:443 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp
DE 178.18.251.169:80 178.18.251.169 tcp

Files

/data/data/among.caution.source/app_DynamicOptDex/mYko.json

MD5 bec9b4f40d54b030b96ce154fa6d6136
SHA1 affe06c1e4815d5f60c775299ac2936658f78e3b
SHA256 f5f17b614fa3b009437893025f1400fb69611f24c291fd9977928fc307a04416
SHA512 dd0f5638fc147112ea11dc2588234797333287e0dc452ee08d685d7722bceabfbc4c672c1b7361a82fa59f0bb3efbcdfc9af319784ec30819ce1f0530345a5f0

/data/data/among.caution.source/app_DynamicOptDex/mYko.json

MD5 3ad737cb3d5112ea8b6370e18eb7107e
SHA1 d949dce9fb67db89b32cc17a647977c8b4616f24
SHA256 736ac24cd76fa729cc2af5f0a80c2b51b4b5572fa206eab049b029154e960779
SHA512 102925532853f7e892792f797675600d826e92140fb09455f199af2a6e8629b4bdcfc84cc36f7f462404662f401afdec8deada43e1326ca321986ffeb240cf3c

/data/data/among.caution.source/app_DynamicOptDex/oat/mYko.json.cur.prof

MD5 f3ca3ea080f9f7dcdc9a44700408cab6
SHA1 06a94ad15d5a8295957a52b49f09d1fdbaa656d0
SHA256 b9a8a1f86b35d6d39f1dc077374d7a6978588e3c7166e6f0c60c6e8c2d777490
SHA512 3fa3e2fc7537504188af81efa0a91f658bfececae12bf9f98fc0004b3c4890aec079df85c614fa0c3678e224baff6e38014432596aa83593c4df6f7b008893be