Malware Analysis Report

2024-10-19 11:58

Sample ID 240320-n6cl6sga95
Target d8c06445e9d07ce80c8a1b135b2f7cbf
SHA256 2d1370802093457d7bb7b151278ff6fcd2e8944e56d87ffc483422bef2f6d8e2
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d1370802093457d7bb7b151278ff6fcd2e8944e56d87ffc483422bef2f6d8e2

Threat Level: Known bad

The file d8c06445e9d07ce80c8a1b135b2f7cbf was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 12:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 12:00

Reported

2024-03-20 12:03

Platform

android-x64-20240221-en

Max time kernel

42s

Max time network

145s

Command Line

online.stay.adapt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

online.stay.adapt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp

Files

/data/data/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 0ff4d81c45bf00191470725783be70b5
SHA1 ca62310e49c07641a6914ae9ac870d6ed7c24771
SHA256 5046cf6cb6a63fbd5c4d9f32df08f401f4a535591c6fd89a5ebb6e1f30dd5e60
SHA512 f9e7c1c53debf1b0fb6cfcd15ec225ba5b1979f0869548b308d4e64de04a8083b7aa1765d08fb712d942031b83c20d468c5b2fe3c4b192268dfffbb684de85f9

/data/data/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 a4cfe79b50c2bcc259966eb9937ca346
SHA1 95e53bfaea9a6d3e45949dcc75110c4a4211bb8a
SHA256 ff0599b0d6669f804f864491d4e39c97c9426476ae6897ac9922391cb616ad28
SHA512 a1f216136b2f7e5049388142c80f6585265ed943c2b89c29134135b503878377911aec8410b437ae1d28042466b9f59aa293bc55927560d624145a58c8dd4331

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 12:00

Reported

2024-03-20 12:02

Platform

android-x64-arm64-20240221-en

Max time kernel

51s

Max time network

156s

Command Line

online.stay.adapt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

online.stay.adapt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 107.172.197.121:80 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp

Files

/data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 0ff4d81c45bf00191470725783be70b5
SHA1 ca62310e49c07641a6914ae9ac870d6ed7c24771
SHA256 5046cf6cb6a63fbd5c4d9f32df08f401f4a535591c6fd89a5ebb6e1f30dd5e60
SHA512 f9e7c1c53debf1b0fb6cfcd15ec225ba5b1979f0869548b308d4e64de04a8083b7aa1765d08fb712d942031b83c20d468c5b2fe3c4b192268dfffbb684de85f9

/data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 a4cfe79b50c2bcc259966eb9937ca346
SHA1 95e53bfaea9a6d3e45949dcc75110c4a4211bb8a
SHA256 ff0599b0d6669f804f864491d4e39c97c9426476ae6897ac9922391cb616ad28
SHA512 a1f216136b2f7e5049388142c80f6585265ed943c2b89c29134135b503878377911aec8410b437ae1d28042466b9f59aa293bc55927560d624145a58c8dd4331

/data/user/0/online.stay.adapt/app_DynamicOptDex/oat/HYpRM.json.cur.prof

MD5 b8331e03defcd74b09c27753c0743039
SHA1 31a9d4cac3685aebecffba52af3b3b7032f895a6
SHA256 1812fff69b80f426352d9035778fdd25026c7bf7b931fe20cbe7268439c52e1b
SHA512 05fd71d415b626a50fbd5b24391164c5f7c54f20d9a27e391f2362a2b315af3988bfd59972999c68327c7920a1ffb0e9b2b47dabb3f0f62cc1ff60541497ffdc

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 12:00

Reported

2024-03-20 12:02

Platform

android-x86-arm-20240221-en

Max time kernel

67s

Max time network

150s

Command Line

online.stay.adapt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A
N/A /data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

online.stay.adapt

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/online.stay.adapt/app_DynamicOptDex/oat/x86/HYpRM.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp
US 107.172.197.121:80 tcp

Files

/data/data/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 0ff4d81c45bf00191470725783be70b5
SHA1 ca62310e49c07641a6914ae9ac870d6ed7c24771
SHA256 5046cf6cb6a63fbd5c4d9f32df08f401f4a535591c6fd89a5ebb6e1f30dd5e60
SHA512 f9e7c1c53debf1b0fb6cfcd15ec225ba5b1979f0869548b308d4e64de04a8083b7aa1765d08fb712d942031b83c20d468c5b2fe3c4b192268dfffbb684de85f9

/data/data/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 a4cfe79b50c2bcc259966eb9937ca346
SHA1 95e53bfaea9a6d3e45949dcc75110c4a4211bb8a
SHA256 ff0599b0d6669f804f864491d4e39c97c9426476ae6897ac9922391cb616ad28
SHA512 a1f216136b2f7e5049388142c80f6585265ed943c2b89c29134135b503878377911aec8410b437ae1d28042466b9f59aa293bc55927560d624145a58c8dd4331

/data/user/0/online.stay.adapt/app_DynamicOptDex/HYpRM.json

MD5 76ce93f2ae26e2613291f45ff783c4e7
SHA1 6d4818452d9ec4a1b16bbc1925a14fd34ffd7378
SHA256 324a962dc0f6fe771a4c3c96beefea654b32306241e646fbbad3a548a46a495f
SHA512 1170b2d982f82b3fb516014a3a03c23dd52a635ff533d54c71d4e4d8dce8fe941b822d7cc81f2438592ed768fe39dc35b48d08508782a096cf041d2f6173e1a0

/data/data/online.stay.adapt/app_DynamicOptDex/oat/HYpRM.json.cur.prof

MD5 e9212b9771b792edeea916db8353e5b1
SHA1 989b52f6a8daceee5249bfb015c2a3b6e38f37d0
SHA256 1abcf9b6d17173ef3b2873adf0bb42cbd718b80e2265d4f064c8a738c6d4c33f
SHA512 32b7ed6821b7464f1b68774bf4ab4c874af08b94699c671e66b1b7f406e1c4eb99edeadec9feefef4cb350e45740f30d5b78b3a77caf6175b0e0da7d14b319f7