Malware Analysis Report

2025-01-19 05:14

Sample ID 241124-pdwd9ayngv
Target 949a0f0d8d17032e191b2f4abf36ba23_JaffaCakes118
SHA256 2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fa121936551e846d3ca6deeb62b75cfcac4de539dc5f655d09ede5b9a31c167

Threat Level: Known bad

The file 949a0f0d8d17032e191b2f4abf36ba23_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus family

Cerberus

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 12:13

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 12:13

Reported

2024-11-24 12:15

Platform

android-x86-arm-20240624-en

Max time kernel

62s

Max time network

83s

Command Line

exile.miss.okay

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json N/A N/A
N/A /data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json N/A N/A
N/A /data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

exile.miss.okay

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/exile.miss.okay/app_DynamicOptDex/oat/x86/htO.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ratrentalservice.com udp

Files

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

MD5 e5b6e2f7fe2eab85a52e5ae31579c622
SHA1 75b2f44f6074463c62bf0259272599a741c94db8
SHA256 85ed42d69a29f6471d5532f3652bcdf9f2c7f8d099a950ab577b5fd54346f9f5
SHA512 cf35955dab8564d50d84087b37c5708b5ac3252e68088246acac82d46bbd345081b11155162d605110afdfe1d8964dfe6008b47f31c8ef934e51a23e9f9f21f8

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

MD5 87267f86237fa13375e5ce0a52eee3d3
SHA1 cedf551d1d11c5ef24de301b92befec875b70414
SHA256 f323807e7bceb67d4d5f0193f8bc59d8fc8569450c3f25ea7cffb53b9d2c9f62
SHA512 7d550936b75707ba9cfd487f6c7b5d13d92590f06ec5f3fae45d18089b5d16927316675ef7ecb6a3ae186fd39c59fe3c5335701e83c1ed0440d4db978efb5188

/data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json

MD5 eb56c3a137e92fa58c737d6595436ae2
SHA1 3874cea664c0855d12d076fadc49489f203775ff
SHA256 8b9873db7a0117758947c00076e1d38da24fa7ae339256af7e6f50a455813271
SHA512 c4e8cb834faf437cccef7e4047fba08c4c3172d0a2235f9e47db64f9f34bfd240af7666529a22eaaa35c90558b534f2fc5d79053f1926c8c24f30e371fb25c86

/data/data/exile.miss.okay/app_DynamicOptDex/oat/htO.json.cur.prof

MD5 98b93e7ab5c7ce5eab6a727f4256e879
SHA1 bae72a12457770856fe448d3fae9703bebd6f3bd
SHA256 38e464e4d40bb385b2d488e732fe4d94fdf2109e07e47ef8e56557eff175d433
SHA512 0d82620167214a13244c1f941f26dc77ec128a318988fd0fd1800934fa5a18078591362a89b9064e50504ffe7dd613767be555224ccd5db9241a5796933f3392

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 12:13

Reported

2024-11-24 12:16

Platform

android-x64-20240624-en

Max time kernel

70s

Max time network

148s

Command Line

exile.miss.okay

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json N/A N/A
N/A /data/user/0/exile.miss.okay/app_DynamicOptDex/htO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

exile.miss.okay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 ratrentalservice.com udp

Files

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

MD5 e5b6e2f7fe2eab85a52e5ae31579c622
SHA1 75b2f44f6074463c62bf0259272599a741c94db8
SHA256 85ed42d69a29f6471d5532f3652bcdf9f2c7f8d099a950ab577b5fd54346f9f5
SHA512 cf35955dab8564d50d84087b37c5708b5ac3252e68088246acac82d46bbd345081b11155162d605110afdfe1d8964dfe6008b47f31c8ef934e51a23e9f9f21f8

/data/data/exile.miss.okay/app_DynamicOptDex/htO.json

MD5 87267f86237fa13375e5ce0a52eee3d3
SHA1 cedf551d1d11c5ef24de301b92befec875b70414
SHA256 f323807e7bceb67d4d5f0193f8bc59d8fc8569450c3f25ea7cffb53b9d2c9f62
SHA512 7d550936b75707ba9cfd487f6c7b5d13d92590f06ec5f3fae45d18089b5d16927316675ef7ecb6a3ae186fd39c59fe3c5335701e83c1ed0440d4db978efb5188

/data/data/exile.miss.okay/app_DynamicOptDex/oat/htO.json.cur.prof

MD5 3596f60c5e0cb0759c551a5812ecdf81
SHA1 e76c2971ece1e5881b17199d8bf66780411e4373
SHA256 99ea029014bdcef608d36e768c57e8aa177f58693421fb4113e611ae0f16ab86
SHA512 cf949a8ea45d8f9c1017f4e21edca3395092f0f2c5bc391f56b5392bd62db2e27e557857652d86f0a9e8d1e0d83198e3168a229f13a749205d8b62719e493fbf

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 12:13

Reported

2024-11-24 12:13

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A