Malware Analysis Report

2024-10-19 11:58

Sample ID 240321-mqqy7abb3z
Target db6c6bdda89349f8de2be84ed4373c18
SHA256 bff4c1097f87aac75d64430f93e4df4e4225ab776be31f58080cb58d00325e55
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bff4c1097f87aac75d64430f93e4df4e4225ab776be31f58080cb58d00325e55

Threat Level: Known bad

The file db6c6bdda89349f8de2be84ed4373c18 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 10:40

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 10:40

Reported

2024-03-21 10:43

Platform

android-x86-arm-20240221-en

Max time kernel

62s

Max time network

132s

Command Line

grocery.drink.custom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json N/A N/A
N/A /data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json N/A N/A
N/A /data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

grocery.drink.custom

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/grocery.drink.custom/app_DynamicOptDex/oat/x86/nS.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 samadeveloper.com udp

Files

/data/data/grocery.drink.custom/app_DynamicOptDex/nS.json

MD5 9c17f35d46b49ef28821db5ed9f41a4c
SHA1 d43410906eacef6a9d378f602a238c3411a31c75
SHA256 b4e8b230848f4e07bc159f33575511b50de296bbfd47ee5ccee4bf2354c04337
SHA512 bf48dfe0c9b85423a84c7c071ea21abe0d724ae39cdc8d20c162d78e3fa58deff71acca16999bc7db87235cb8d4d00b33f72efd924e02dd7eb608a1ecd358786

/data/data/grocery.drink.custom/app_DynamicOptDex/nS.json

MD5 cedc99833d0a80593ee3e2235daa9951
SHA1 cee1736fb56133a6c1ed5b370c9997b2564280b1
SHA256 54aa5e7e026ded064757331ff965f6d3d3d3d7cf206f457df6a9612cbce2d51e
SHA512 5be6771618acc72a6458210b7a00012335bd17814989858bf8f935013623c9ad7b35438f5ecf94f01d74429011f1619c231a79f6101321d3b763876ce1ce5f9e

/data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json

MD5 dd0411767b7807abe4c2c5244b23eed3
SHA1 db1097bce804d0fef132c89f3bb662572fe77882
SHA256 8f4842d48f92e8605d9719ac79493ae8ab00ff646816ba35602d6a190b3d4577
SHA512 0631389c385cf1d93b1768a482bc093e57b2259bfbb7076d6afa21f9168996a712be01c63a34a0604b7f6c22ee567e91cf46108005f3db5040d2c8f680c22a75

/data/data/grocery.drink.custom/app_DynamicOptDex/oat/nS.json.cur.prof

MD5 0186068481ec78a95920f4f6eef73562
SHA1 58a36785cb1ecf63cfcf9c696ee91a7a9a0fe240
SHA256 d330d92ea2fb4142353d7bcb92e0caec98a7e09c3a5bd0da42584b793659066b
SHA512 8831d7f2c834050d9ebc45955f39c5adcf8288fa2e354cf6b8734f8d585a776926883f79aab59f2e97d2a849dd81531bb983e5850995545ecbef472f5ab4ef21

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 10:40

Reported

2024-03-21 10:43

Platform

android-x64-20240221-en

Max time kernel

50s

Max time network

151s

Command Line

grocery.drink.custom

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json N/A N/A
N/A /data/user/0/grocery.drink.custom/app_DynamicOptDex/nS.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

grocery.drink.custom

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 samadeveloper.com udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 172.217.169.66:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/grocery.drink.custom/app_DynamicOptDex/nS.json

MD5 9c17f35d46b49ef28821db5ed9f41a4c
SHA1 d43410906eacef6a9d378f602a238c3411a31c75
SHA256 b4e8b230848f4e07bc159f33575511b50de296bbfd47ee5ccee4bf2354c04337
SHA512 bf48dfe0c9b85423a84c7c071ea21abe0d724ae39cdc8d20c162d78e3fa58deff71acca16999bc7db87235cb8d4d00b33f72efd924e02dd7eb608a1ecd358786

/data/data/grocery.drink.custom/app_DynamicOptDex/nS.json

MD5 cedc99833d0a80593ee3e2235daa9951
SHA1 cee1736fb56133a6c1ed5b370c9997b2564280b1
SHA256 54aa5e7e026ded064757331ff965f6d3d3d3d7cf206f457df6a9612cbce2d51e
SHA512 5be6771618acc72a6458210b7a00012335bd17814989858bf8f935013623c9ad7b35438f5ecf94f01d74429011f1619c231a79f6101321d3b763876ce1ce5f9e

/data/data/grocery.drink.custom/app_DynamicOptDex/oat/nS.json.cur.prof

MD5 580263dd10a68785465afca0c27fc01e
SHA1 6eb5a4e551b8e2ea3cd4a2ae3053966da22482e0
SHA256 c14fcd82ea7ab85b716dd5d495e2e6271733fad24e0120f0fbec381a7a3a8d67
SHA512 51270050f72eae4a5cff90c3c1763453a15b45fe1abcb7dda74d49c89e27f08da5276134233b8854821d554cfbb6a075b77fe15e6e60c09315703cb21aad6a91

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 10:40

Reported

2024-03-21 10:40

Platform

android-x64-arm64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp

Files

N/A