Malware Analysis Report

2025-01-19 05:12

Sample ID 241124-13hegayjdm
Target d8ac98b0e282550f88809ae5abb3f20761a69e6494e5e0e43948ebc2bbd03d7d.bin
SHA256 d8ac98b0e282550f88809ae5abb3f20761a69e6494e5e0e43948ebc2bbd03d7d
Tags
cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8ac98b0e282550f88809ae5abb3f20761a69e6494e5e0e43948ebc2bbd03d7d

Threat Level: Known bad

The file d8ac98b0e282550f88809ae5abb3f20761a69e6494e5e0e43948ebc2bbd03d7d.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan persistence

Cerberus

Cerberus family

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 22:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 22:10

Reported

2024-11-24 22:13

Platform

android-x64-arm64-20240910-en

Max time kernel

54s

Max time network

155s

Command Line

com.lazy.fresh

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lazy.fresh

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 ashotiksvagonian.ru udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 87b69827daefd5bd37b9eace4c620419
SHA1 e55e61cd510777b0bbd44b19af3bd57942d78c8e
SHA256 9d5937a0da57cb970cf7cfb91d1eb37d6216af69a974397a5eb23ca57d3bdc8a
SHA512 3e27fa3b2de91764753b7dda574f279a43f43cc698dcd972ef2132c62fcf279a48ea50ed808bfcb6354fbc0a8ec32f159a0a86456cb15810d543a0e4fcad8a3d

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 5d3fafac3212f77cfcea3aec07c523e4
SHA1 2813e8453deafd8df9efc2ad5166fc78c374b58a
SHA256 14978ecdc1c13f7e39ae3f69d93328be5e6a4f357662a139fcb8bca6ad58c718
SHA512 e93cb7cf5c8571888c1669acc599a69d455d5b327e8d9ef0b5473d1a35ddd38c250400bf3a27a9e2989971bd946c4fd08d788c5e25a6f3a3c9551f0ed477ec73

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 59176bb00f9315c721bc573c89b0ef8d
SHA1 0fe6fd13ba98b0cc782c9a40ae1f3315bc793104
SHA256 4476c4835080feedf92444c38b21e8d19496c3fbe6f46fbc3008b33d4d72686b
SHA512 84d7fdb3523bd6c850c8653676fd20e0bdf396fb7134d3118665d84783dd5b6ce2116866957751373424b8ed01ac6e87a1b5b696680ca51434f3ec455b5f67e0

/data/user/0/com.lazy.fresh/app_DynamicOptDex/oat/WeSrRWF.json.cur.prof

MD5 f75acc44a42eae000945274d490f6f73
SHA1 c8832857b7488ba6741a35cb25202c729945a384
SHA256 0aab6465b235cb004ccb07c96c11de0329061bdbc15826815f46e3f378b479d3
SHA512 f8ae32bb100f99ad134e00e11fd931171ad22a7c99249deda81db38a5b5d1d53b06e42d44758c307204e8144ad66e7257b2714c9922a61f28763599ac8328e59

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 22:10

Reported

2024-11-24 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

66s

Max time network

131s

Command Line

com.lazy.fresh

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json N/A N/A
N/A /data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lazy.fresh

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.lazy.fresh/app_DynamicOptDex/oat/x86/WeSrRWF.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ashotiksvagonian.ru udp

Files

/data/data/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 87b69827daefd5bd37b9eace4c620419
SHA1 e55e61cd510777b0bbd44b19af3bd57942d78c8e
SHA256 9d5937a0da57cb970cf7cfb91d1eb37d6216af69a974397a5eb23ca57d3bdc8a
SHA512 3e27fa3b2de91764753b7dda574f279a43f43cc698dcd972ef2132c62fcf279a48ea50ed808bfcb6354fbc0a8ec32f159a0a86456cb15810d543a0e4fcad8a3d

/data/data/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 5d3fafac3212f77cfcea3aec07c523e4
SHA1 2813e8453deafd8df9efc2ad5166fc78c374b58a
SHA256 14978ecdc1c13f7e39ae3f69d93328be5e6a4f357662a139fcb8bca6ad58c718
SHA512 e93cb7cf5c8571888c1669acc599a69d455d5b327e8d9ef0b5473d1a35ddd38c250400bf3a27a9e2989971bd946c4fd08d788c5e25a6f3a3c9551f0ed477ec73

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 59176bb00f9315c721bc573c89b0ef8d
SHA1 0fe6fd13ba98b0cc782c9a40ae1f3315bc793104
SHA256 4476c4835080feedf92444c38b21e8d19496c3fbe6f46fbc3008b33d4d72686b
SHA512 84d7fdb3523bd6c850c8653676fd20e0bdf396fb7134d3118665d84783dd5b6ce2116866957751373424b8ed01ac6e87a1b5b696680ca51434f3ec455b5f67e0

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 239e52804832bf9f9d8b830bc2fe2f83
SHA1 08122f1e0c88e29561d99ac657169df9b30b2211
SHA256 19f662f542f0f0b0a68dc8ca119ac73327506aeef30d159d93f41557aab558dc
SHA512 4cd6f0a911114be53b9efc38c4a8116ad100014cffeda95ab74867728f21583efd2719aa219fd55d103616a31d05936ac45496182ca96c051e2cbf4da7b39660

/data/data/com.lazy.fresh/app_DynamicOptDex/oat/WeSrRWF.json.cur.prof

MD5 039e78b4c19150305025b8ad739b977c
SHA1 2fb14b0660222f2c2dc2d03c0f97a75bd233aef0
SHA256 4b24904eb70392647d89c4734d5d2c785d1ad3500442316e4b4227d8f6f2e5d5
SHA512 7ef294fa43d0ca94a57bdf2233f852e18ef2b12e2ca8211ae3e609f0d3e0d3c785d4edc2840bec59e0f6d9e494afb200fc5875a9fb18109c1304d44f90124099

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 22:10

Reported

2024-11-24 22:13

Platform

android-x64-20240624-en

Max time kernel

73s

Max time network

156s

Command Line

com.lazy.fresh

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lazy.fresh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 ashotiksvagonian.ru udp
GB 216.58.213.10:443 tcp

Files

/data/data/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 87b69827daefd5bd37b9eace4c620419
SHA1 e55e61cd510777b0bbd44b19af3bd57942d78c8e
SHA256 9d5937a0da57cb970cf7cfb91d1eb37d6216af69a974397a5eb23ca57d3bdc8a
SHA512 3e27fa3b2de91764753b7dda574f279a43f43cc698dcd972ef2132c62fcf279a48ea50ed808bfcb6354fbc0a8ec32f159a0a86456cb15810d543a0e4fcad8a3d

/data/data/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 5d3fafac3212f77cfcea3aec07c523e4
SHA1 2813e8453deafd8df9efc2ad5166fc78c374b58a
SHA256 14978ecdc1c13f7e39ae3f69d93328be5e6a4f357662a139fcb8bca6ad58c718
SHA512 e93cb7cf5c8571888c1669acc599a69d455d5b327e8d9ef0b5473d1a35ddd38c250400bf3a27a9e2989971bd946c4fd08d788c5e25a6f3a3c9551f0ed477ec73

/data/user/0/com.lazy.fresh/app_DynamicOptDex/WeSrRWF.json

MD5 59176bb00f9315c721bc573c89b0ef8d
SHA1 0fe6fd13ba98b0cc782c9a40ae1f3315bc793104
SHA256 4476c4835080feedf92444c38b21e8d19496c3fbe6f46fbc3008b33d4d72686b
SHA512 84d7fdb3523bd6c850c8653676fd20e0bdf396fb7134d3118665d84783dd5b6ce2116866957751373424b8ed01ac6e87a1b5b696680ca51434f3ec455b5f67e0

/data/data/com.lazy.fresh/app_DynamicOptDex/oat/WeSrRWF.json.cur.prof

MD5 a8cadf6e2fbfb70279eadbe8a6e165f5
SHA1 b385eabc24ca3cb43eea8ed9403f6243fa09b31c
SHA256 56281c913c029ce5a5f1bfdf4a15c09e74b05d2e2b789e5f5d7b561092ad6207
SHA512 606524c141a8fa932e78d75893cc1a9157d47004dfbfcd09990e1209f62a00814547d18919bc493a7402d15acca2b6c930391251eb4e8c4b10e9ce8339fe8ed8