Malware Analysis Report

2025-01-19 05:14

Sample ID 241125-13e94sypb1
Target 976f40c9a267ab9f9a29fbc0b01ba9f70872ffec22c632bb76c79a64e77c0f7d.bin
SHA256 976f40c9a267ab9f9a29fbc0b01ba9f70872ffec22c632bb76c79a64e77c0f7d
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

976f40c9a267ab9f9a29fbc0b01ba9f70872ffec22c632bb76c79a64e77c0f7d

Threat Level: Known bad

The file 976f40c9a267ab9f9a29fbc0b01ba9f70872ffec22c632bb76c79a64e77c0f7d.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Cerberus

Cerberus family

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests changing the default SMS application.

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 22:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 22:10

Reported

2024-11-25 22:12

Platform

android-x64-20240910-en

Max time kernel

29s

Max time network

152s

Command Line

com.vague.gaze

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vague.gaze

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp

Files

/data/data/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 ee115fb6efa6e757ea62fd350397ebad
SHA1 3ab82d86e31462de41f57ae98471e5b86497f7d3
SHA256 21f92438f84d55182b6b9fa9e6099a0c549fc8e58b2cc8e98062c7886035493a
SHA512 2b5e4a5a1198141b5cad4d4e42bf39a6ab4adc4c0033a2f217eded23743b9475b8374d2146b5615d4311f5f8de5dc1c4ad5a74f9b4670c15b7fed372c83bb1a9

/data/data/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 a957f2b174730293a07bb9c5fc35ac6f
SHA1 af06d7821a292d97634b878f25c9362ef1b690ee
SHA256 cb54b6dd353358ea45ac80460f47af95c42726326fef176cd5bad164766c0a4e
SHA512 270adc4ab2ae3779fa13e2b153dc7032fc10a0b6124b0f50f5af8f7a4f5dd5d417b6fee54586d80edfc6d0fe7db5a762594c50a56b80a5c535c915e9c7da0904

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 22:10

Reported

2024-11-25 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

40s

Max time network

152s

Command Line

com.vague.gaze

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vague.gaze

Network

Country Destination Domain Proto
US 216.239.36.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
GB 142.250.187.225:443 tcp
GB 142.250.179.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 ee115fb6efa6e757ea62fd350397ebad
SHA1 3ab82d86e31462de41f57ae98471e5b86497f7d3
SHA256 21f92438f84d55182b6b9fa9e6099a0c549fc8e58b2cc8e98062c7886035493a
SHA512 2b5e4a5a1198141b5cad4d4e42bf39a6ab4adc4c0033a2f217eded23743b9475b8374d2146b5615d4311f5f8de5dc1c4ad5a74f9b4670c15b7fed372c83bb1a9

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 a957f2b174730293a07bb9c5fc35ac6f
SHA1 af06d7821a292d97634b878f25c9362ef1b690ee
SHA256 cb54b6dd353358ea45ac80460f47af95c42726326fef176cd5bad164766c0a4e
SHA512 270adc4ab2ae3779fa13e2b153dc7032fc10a0b6124b0f50f5af8f7a4f5dd5d417b6fee54586d80edfc6d0fe7db5a762594c50a56b80a5c535c915e9c7da0904

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 22:10

Reported

2024-11-25 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

73s

Max time network

148s

Command Line

com.vague.gaze

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json N/A N/A
N/A /data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vague.gaze

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.vague.gaze/app_DynamicOptDex/oat/x86/kjGtB.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp
RU 94.250.253.26:80 tcp

Files

/data/data/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 ee115fb6efa6e757ea62fd350397ebad
SHA1 3ab82d86e31462de41f57ae98471e5b86497f7d3
SHA256 21f92438f84d55182b6b9fa9e6099a0c549fc8e58b2cc8e98062c7886035493a
SHA512 2b5e4a5a1198141b5cad4d4e42bf39a6ab4adc4c0033a2f217eded23743b9475b8374d2146b5615d4311f5f8de5dc1c4ad5a74f9b4670c15b7fed372c83bb1a9

/data/data/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 a957f2b174730293a07bb9c5fc35ac6f
SHA1 af06d7821a292d97634b878f25c9362ef1b690ee
SHA256 cb54b6dd353358ea45ac80460f47af95c42726326fef176cd5bad164766c0a4e
SHA512 270adc4ab2ae3779fa13e2b153dc7032fc10a0b6124b0f50f5af8f7a4f5dd5d417b6fee54586d80edfc6d0fe7db5a762594c50a56b80a5c535c915e9c7da0904

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/user/0/com.vague.gaze/app_DynamicOptDex/kjGtB.json

MD5 9dfa580aa93694ae97b83ecb5cfa9ff5
SHA1 b17c51cbd1dad8b069e2ac3adab7fccfd6bd624f
SHA256 caaa953fc8d5eb5d2cbac6e280ed76c7e3ddaa2f0f4eb2ed5e7d58b7b7015ddf
SHA512 22c51103d9bdf7997ccb6557c92613f431b9c643a1825d4264fd4767a0f1f8e66b8f2719ccbcda1bf5aae2c9448729212e722b6d9091a4f1c7eb6cb6bdb034fb

/data/data/com.vague.gaze/app_DynamicOptDex/oat/kjGtB.json.cur.prof

MD5 c4bd4478c7386c228c0a654e5aa9ef99
SHA1 ced7570abf080ec40188f6d0066da79c5e9c6e9d
SHA256 31a4f703b4faab7b733e9e167bbd8ce2a4c743d812555c00caf533a5c5630c46
SHA512 bd3ed54d0ea1170448fdd986ca5d5d8b712cfc7ccbd9f78897328f7687b03a2e75fd018e4ba660f3441dfb5bfbc05468047a2c85c55c03320de860f36c5be929