Malware Analysis Report

2024-10-19 11:58

Sample ID 240325-d946gsab3x
Target dd270c4680162ff3dc32ef54af37ee5c
SHA256 9767d501e9a5c1f125d568645e42f057884258ceb38d1641a99a219b77dd3ba1
Tags
cerberus banker collection evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9767d501e9a5c1f125d568645e42f057884258ceb38d1641a99a219b77dd3ba1

Threat Level: Known bad

The file dd270c4680162ff3dc32ef54af37ee5c was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection evasion infostealer rat stealth trojan

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:43

Reported

2024-03-25 03:46

Platform

android-x86-arm-20240221-en

Max time kernel

64s

Max time network

132s

Command Line

fog.toilet.melt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json N/A N/A
N/A /data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json N/A N/A
N/A /data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

fog.toilet.melt

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fog.toilet.melt/app_DynamicOptDex/oat/x86/mqLFu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 androidservice.cf udp
US 1.1.1.1:53 androidservice.cf udp
US 1.1.1.1:53 androidservice.cf udp

Files

/data/data/fog.toilet.melt/app_DynamicOptDex/mqLFu.json

MD5 58d259c7678a56678f0ff1be2ef0a647
SHA1 f814936cb6db2a4dee9f50d7a20950ef4e7326ab
SHA256 76965e54aa5a0cf7fe02c97a0c746fd911f5e65c0c3d00e17b5a7ddbe7efbb15
SHA512 f1df76c3e5a21878c5ddc384358b3d18d2ea1750745cbd38e2eb811813ddebde209e84b1a7df29dd702986d0e3a736718b86600f9d063a0979121e8a1c9aaea0

/data/data/fog.toilet.melt/app_DynamicOptDex/mqLFu.json

MD5 7d0dab0b3b9f618aba0162d923bde06e
SHA1 4e1b6a7a5a9b05575118f6a962d201aced5b81f3
SHA256 4e477985a5de3ebaabbe8db381f83cdb4e1bec12906e120fc063d760193cd8f5
SHA512 abeeec718b4ff60826163f0ca8a0de6de460668c4b05c010f9d8332ecf04e355a1e7a16bea720dca6abf2f2bf54e2c30bf028fa97d389ad7d44bb5bbdbf767b3

/data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json

MD5 80b03db01f8391af87e871b53e2c8a8b
SHA1 53d3243f3f4c14645987544c6cafdd16ea1a4663
SHA256 5f4803055552bd38b4b7d56d051488998ea25aa96f7b8c82259a0664a6e823da
SHA512 2ce412115d1d525442248462ba5c4a27085d2a7a9af0885d532c6091836ea25f82675977873fe350f22d959f8ef08fd1f0ac2fae3701f77fd09fe056bac9b71f

/data/data/fog.toilet.melt/app_DynamicOptDex/oat/mqLFu.json.cur.prof

MD5 ce6f34cc4d8a926c2d6668eb4dc389fd
SHA1 75e1f9503e12e0b5d68e589ff1dc0b1d3f3c5912
SHA256 b1188611fda7650168f6a1563eab476ca1e02b4f9d6c7297af6236d61acbc6b5
SHA512 6cf8a0f39cce46956e025bb84f424fbc1ba1343aada39d5094ca0b9915178b9c162be5779b714ee131047873225bb0cc7f7f7d2f2f8ae57fae5fe6fc342567e9

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 03:43

Reported

2024-03-25 03:46

Platform

android-x64-20240221-en

Max time kernel

142s

Max time network

153s

Command Line

fog.toilet.melt

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json N/A N/A
N/A /data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

fog.toilet.melt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 androidservice.cf udp
US 1.1.1.1:53 androidservice.cf udp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/fog.toilet.melt/app_DynamicOptDex/mqLFu.json

MD5 58d259c7678a56678f0ff1be2ef0a647
SHA1 f814936cb6db2a4dee9f50d7a20950ef4e7326ab
SHA256 76965e54aa5a0cf7fe02c97a0c746fd911f5e65c0c3d00e17b5a7ddbe7efbb15
SHA512 f1df76c3e5a21878c5ddc384358b3d18d2ea1750745cbd38e2eb811813ddebde209e84b1a7df29dd702986d0e3a736718b86600f9d063a0979121e8a1c9aaea0

/data/user/0/fog.toilet.melt/app_DynamicOptDex/mqLFu.json

MD5 7d0dab0b3b9f618aba0162d923bde06e
SHA1 4e1b6a7a5a9b05575118f6a962d201aced5b81f3
SHA256 4e477985a5de3ebaabbe8db381f83cdb4e1bec12906e120fc063d760193cd8f5
SHA512 abeeec718b4ff60826163f0ca8a0de6de460668c4b05c010f9d8332ecf04e355a1e7a16bea720dca6abf2f2bf54e2c30bf028fa97d389ad7d44bb5bbdbf767b3

/data/data/fog.toilet.melt/app_DynamicOptDex/oat/mqLFu.json.cur.prof

MD5 43ef416d6bea2b4e390ed919619641d0
SHA1 821b748682b80982056adf8b589c9c17101b83b6
SHA256 605dd6430c5bb93245f5d2fee8a1d62e3b4717501dab1f15fd0f75d33b8439e8
SHA512 f75fb9e61b1b258daf2f9b71e04a194824480b9f4c10272d012ffdcb3ec203b7f229a1a81a58272e322c8e391ddafd67f3b6daf940ca1ee44e1b132427c930fb

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 03:43

Reported

2024-03-25 03:43

Platform

android-x64-arm64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A