Malware Analysis Report

2024-09-09 19:10

Sample ID 240430-1wwzaaae73
Target 722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f.bin
SHA256 722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence privilege_escalation rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f

Threat Level: Known bad

The file 722ae9005608e4f7842025b384533943233d1cd39732b36a2dceb787450e331f.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence privilege_escalation rat stealth trojan

Cerberus

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Checks CPU information

Tries to add a device administrator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Checks memory information

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-30 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 22:00

Reported

2024-04-30 22:03

Platform

android-x86-arm-20240221-en

Max time kernel

142s

Max time network

149s

Command Line

com.frame.situate

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json N/A N/A
N/A /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.frame.situate

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.frame.situate/app_DynamicOptDex/oat/x86/MqaSuSl.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
RU 149.154.69.61:80 149.154.69.61 tcp

Files

/data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 d7ebcd40bc0e6eccc6ce298970b274ab
SHA1 20a6521c7500eddf93c9333e49879dac2e8f107d
SHA256 aa47941866950be937e9a24c8f609314fcfb502b561ce899a693e86f22aa8639
SHA512 d665f4fd6989ddd819be9b689c365efc017de10c4ee19dd737b6a3522f475b793fde7edea9b28f5c82763a8d3a340bf9b8d102ce686751a59dad52886b7c872d

/data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 28370cd547b33a7bd7403b148929921f
SHA1 e500df0ad9d86c17f08b323e7edcca3fa274ffb4
SHA256 d97863b9cf2031f2ad76fcf18ebbf6e3dfea8f9d198d1f218980c2425ad25266
SHA512 a60661a9ba783a5a2fd83292241b20d628a05abf2b281da21bff359ab89df5e92b2a6a69195b3bd22302ad17b619e9ca93b99512ca6026dc34e71b157037cb68

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 63923423718da9c71d4d1936dbde75ca
SHA1 fb2325e3a253b8313c29fd2271ae2cf5eaed0a27
SHA256 ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1
SHA512 cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 45a9f742c7a4d7c30d08dccb209e785d
SHA1 957b770d96fd159a158bba174b6473bdc5a4aef6
SHA256 ffd56980ecae11ea6e339ae38d4f24cac68f1aa7d41fb34b907c24537d8460e0
SHA512 5c98fbbb50446ff670f81f6dc4022ac693fbea12cce41df8c987cbff2dc2f6d30c0b77562170ac9ecae7dad7c8dd5198ddc47947c2576ea00a0cb7f2dc470168

/data/data/com.frame.situate/app_DynamicOptDex/oat/MqaSuSl.json.cur.prof

MD5 b35b8c3b9fd98c8d21b5e3229b217b39
SHA1 04933ba8ca5026f12dbc2cd307a376f5e28057ba
SHA256 54ff6851beb8611d5da8e546fa65f52f6ba88cf181ac96e1b85fae16d2b3cf4b
SHA512 d73e7074244809bac2adfb78a160bff582c50690251cf6c75d94a9c74b5483947be778e14b69a97d9c035586b25151f2d248263f938c58c8c1a5ade3f1691c62

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 22:00

Reported

2024-04-30 22:03

Platform

android-x64-20240221-en

Max time kernel

127s

Max time network

151s

Command Line

com.frame.situate

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.frame.situate

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.195:443 tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
RU 149.154.69.61:80 149.154.69.61 tcp
RU 149.154.69.61:80 149.154.69.61 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.238:443 tcp
GB 172.217.169.34:443 tcp

Files

/data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 d7ebcd40bc0e6eccc6ce298970b274ab
SHA1 20a6521c7500eddf93c9333e49879dac2e8f107d
SHA256 aa47941866950be937e9a24c8f609314fcfb502b561ce899a693e86f22aa8639
SHA512 d665f4fd6989ddd819be9b689c365efc017de10c4ee19dd737b6a3522f475b793fde7edea9b28f5c82763a8d3a340bf9b8d102ce686751a59dad52886b7c872d

/data/data/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 28370cd547b33a7bd7403b148929921f
SHA1 e500df0ad9d86c17f08b323e7edcca3fa274ffb4
SHA256 d97863b9cf2031f2ad76fcf18ebbf6e3dfea8f9d198d1f218980c2425ad25266
SHA512 a60661a9ba783a5a2fd83292241b20d628a05abf2b281da21bff359ab89df5e92b2a6a69195b3bd22302ad17b619e9ca93b99512ca6026dc34e71b157037cb68

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 63923423718da9c71d4d1936dbde75ca
SHA1 fb2325e3a253b8313c29fd2271ae2cf5eaed0a27
SHA256 ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1
SHA512 cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

/data/data/com.frame.situate/app_DynamicOptDex/oat/MqaSuSl.json.cur.prof

MD5 e0111e12cb137b57cc4c68b407a6c6f3
SHA1 afb2712ece68c180dad2734af2b07c6756d10379
SHA256 6c3288645e4264fc6bc660969aef94d108e58f6e7a0c77fd471dc5f047187211
SHA512 67331ec21cd0db0d16cddf4807bff2b562ea1d81af9484fc7e0d4e20f80e667db419d8eb80395ef59852ba7e2ef2f05beca6b8280f6b03c0a4c916ed9dbb9faa

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-30 22:00

Reported

2024-04-30 22:04

Platform

android-x64-arm64-20240221-en

Max time kernel

70s

Max time network

131s

Command Line

com.frame.situate

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json] N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.frame.situate

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
RU 149.154.69.61:80 149.154.69.61 tcp
RU 149.154.69.61:80 149.154.69.61 tcp

Files

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 d7ebcd40bc0e6eccc6ce298970b274ab
SHA1 20a6521c7500eddf93c9333e49879dac2e8f107d
SHA256 aa47941866950be937e9a24c8f609314fcfb502b561ce899a693e86f22aa8639
SHA512 d665f4fd6989ddd819be9b689c365efc017de10c4ee19dd737b6a3522f475b793fde7edea9b28f5c82763a8d3a340bf9b8d102ce686751a59dad52886b7c872d

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 28370cd547b33a7bd7403b148929921f
SHA1 e500df0ad9d86c17f08b323e7edcca3fa274ffb4
SHA256 d97863b9cf2031f2ad76fcf18ebbf6e3dfea8f9d198d1f218980c2425ad25266
SHA512 a60661a9ba783a5a2fd83292241b20d628a05abf2b281da21bff359ab89df5e92b2a6a69195b3bd22302ad17b619e9ca93b99512ca6026dc34e71b157037cb68

/data/user/0/com.frame.situate/app_DynamicOptDex/MqaSuSl.json

MD5 63923423718da9c71d4d1936dbde75ca
SHA1 fb2325e3a253b8313c29fd2271ae2cf5eaed0a27
SHA256 ce339dfa992184173b2c967778f2fb0b16bfb972d949b1986b74dcbf61b1b7c1
SHA512 cdc187789174600e982ce18b6208e0175d65555f2a77552a2d6d1930243a1cbeae94392671c8fc0132244123e1e7ece22b5d8e7a445d8275e7f5cd3bdbcb3e4d

/data/user/0/com.frame.situate/app_DynamicOptDex/oat/MqaSuSl.json.cur.prof

MD5 2b0f9cf20faffc940ea257c070bf6b23
SHA1 bdd91e6bcc68889612df3c8c0834905e1719b88f
SHA256 dcc586ebebf0b557731d3ead0fe9a1725a9d8eeea01d4373c0fc2e11b0ae1e26
SHA512 eb16093e2ced8cd63bf356012bbedf70610df500dc13e2d99ab4d83f35e9f95a3d8df4234169314c441c1328cf1d620cf70904d51744a15d17cb012537737fd1