Malware Analysis Report

2025-01-19 05:14

Sample ID 241125-1ykc9svrck
Target bcce8721d78e9511a26be495b1f40af393a742aaba3f841d86c029c2b8a82674.bin
SHA256 bcce8721d78e9511a26be495b1f40af393a742aaba3f841d86c029c2b8a82674
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence privilege_escalation rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcce8721d78e9511a26be495b1f40af393a742aaba3f841d86c029c2b8a82674

Threat Level: Known bad

The file bcce8721d78e9511a26be495b1f40af393a742aaba3f841d86c029c2b8a82674.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence privilege_escalation rat stealth trojan

Cerberus

Cerberus family

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Tries to add a device administrator.

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests changing the default SMS application.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 22:03

Reported

2024-11-25 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

84s

Max time network

142s

Command Line

com.brdnpufwm.fpemtlcca

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.brdnpufwm.fpemtlcca

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/oat/x86/hilelfo.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 45.67.35.46:80 45.67.35.46 tcp

Files

/data/data/com.brdnpufwm.fpemtlcca/files/kvrukk.mel

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf

MD5 7962d657f47197f8705502d04b081474
SHA1 4637e409b551c87e13757bd2f4e087714944b4a3
SHA256 4b13c59baf81e423fcc9d1cf23cd2cebff417fa2ba728d5c89278a6ed13d1123
SHA512 427b2cda6f4759ba4014098ac5849c05cf7f5ecc7190347314f389de7d64be6210bf46f07471c22a362d8f4ca0fabd604e199d7d2878a65bc09b72b23e81c6a7

/data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf

MD5 6ee5d66899f687ed3d272a2e7a99d9b5
SHA1 1b447cf0392007585e0a121d57075f7b2dfdc03e
SHA256 202caaed8a531a5dede3e69b473228134149a53083bbf2a65d5005354a7bc4a0
SHA512 61c5821e1f8201f0f9459ff5f40a29fe478082870128c5e1c0a4156859fe7b98c08f9746e3da0c429e5aff51d35600e9176ef32a8b5ffb9bb806587ebf477ab6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 22:03

Reported

2024-11-25 22:06

Platform

android-x64-20240624-en

Max time kernel

80s

Max time network

160s

Command Line

com.brdnpufwm.fpemtlcca

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.brdnpufwm.fpemtlcca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
NL 45.67.35.46:80 45.67.35.46 tcp
NL 45.67.35.46:80 45.67.35.46 tcp

Files

/data/data/com.brdnpufwm.fpemtlcca/files/kvrukk.mel

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf

MD5 7962d657f47197f8705502d04b081474
SHA1 4637e409b551c87e13757bd2f4e087714944b4a3
SHA256 4b13c59baf81e423fcc9d1cf23cd2cebff417fa2ba728d5c89278a6ed13d1123
SHA512 427b2cda6f4759ba4014098ac5849c05cf7f5ecc7190347314f389de7d64be6210bf46f07471c22a362d8f4ca0fabd604e199d7d2878a65bc09b72b23e81c6a7

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 22:03

Reported

2024-11-25 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

57s

Max time network

150s

Command Line

com.brdnpufwm.fpemtlcca

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A
N/A /data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.brdnpufwm.fpemtlcca

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
NL 45.67.35.46:80 45.67.35.46 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
NL 45.67.35.46:80 45.67.35.46 tcp

Files

/data/user/0/com.brdnpufwm.fpemtlcca/files/kvrukk.mel

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/user/0/com.brdnpufwm.fpemtlcca/app_app_dex/hilelfo.epf

MD5 7962d657f47197f8705502d04b081474
SHA1 4637e409b551c87e13757bd2f4e087714944b4a3
SHA256 4b13c59baf81e423fcc9d1cf23cd2cebff417fa2ba728d5c89278a6ed13d1123
SHA512 427b2cda6f4759ba4014098ac5849c05cf7f5ecc7190347314f389de7d64be6210bf46f07471c22a362d8f4ca0fabd604e199d7d2878a65bc09b72b23e81c6a7