Malware Analysis Report

2025-01-19 05:14

Sample ID 241125-h2p4ta1mbm
Target 99ff688d1a2b535bb025eaf91367d6d9_JaffaCakes118
SHA256 da6ad6b01c00868cd5f7d60aecac9b9d3b651e83c8e71fbfe8e2922fedf84575
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da6ad6b01c00868cd5f7d60aecac9b9d3b651e83c8e71fbfe8e2922fedf84575

Threat Level: Known bad

The file 99ff688d1a2b535bb025eaf91367d6d9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus

Cerberus family

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 07:14

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 07:14

Reported

2024-11-25 07:14

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 07:14

Reported

2024-11-25 07:16

Platform

android-x86-arm-20240624-en

Max time kernel

64s

Max time network

131s

Command Line

estate.cake.crush

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json N/A N/A
N/A /data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json N/A N/A
N/A /data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

estate.cake.crush

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/estate.cake.crush/app_DynamicOptDex/oat/x86/pMO.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 somsombaba.xyz udp

Files

/data/data/estate.cake.crush/app_DynamicOptDex/pMO.json

MD5 2e04f11062c2bbda6c3cdcf0a6fae086
SHA1 b4cb7d9433108de2675e01097402d853fc332d39
SHA256 281129f92d402aa2b5884e597eda60027d5695efd859b29cc3e59bd88c06f6b7
SHA512 3b616084fadcbe0f78272b934939dd30fa8481042de58307dc299af2250fd158a3610366863597674335b624d6c1e9d922729760f33f0e989ad7f75670d0936e

/data/data/estate.cake.crush/app_DynamicOptDex/pMO.json

MD5 a81b540a1b6225eb86374cf85db257bf
SHA1 76f878e135cea17e3a7e3e7808e4be1b774a30ea
SHA256 cc76bfd537f15a42f05eadbffab3284bf030cc7e9b7eb339598d42c832f76ebb
SHA512 80a949eb2207193b9981270c18df16fff854e2d8a6e4351bbe91541d36077bb834a76a3234d8ae0dd2058ad8e034ee88e366820ac6d0ce9be9613cd4e4202e0d

/data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json

MD5 e511bcc895c4da68f2c7eabfb627398d
SHA1 2052f3807daddec66e283e7dc60b7b3e635959f5
SHA256 9501ff366b1bc860183bb2cb86f2cccab87b0419e5168d143d1395f0d4da1823
SHA512 a3eadb017b7d254ab6ff7bd5720bfa45e8e6246edcfe88eff3e865314689d7c427c8ccdb56d42ecdf3234948bd6e6537c4c94b0b8882ae174cfdb45273e5902e

/data/data/estate.cake.crush/app_DynamicOptDex/oat/pMO.json.cur.prof

MD5 49ad3beebce44b65a8e49ab3be7ce367
SHA1 61462de5b46a794e4f27529905226b51889dcf45
SHA256 a6d69eb5c66b08a9feb98fd717b07ea710c7f7d60e2e6342f19d69e1fb540678
SHA512 b29abf252433153e801796f3d999d33896e6a0cb0e5e51265d24602a24f6096c86e2cff3891143cb018aa55d4da431f58a5b7feb0912f8a5e6d2f14227258f34

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 07:14

Reported

2024-11-25 07:16

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

148s

Command Line

estate.cake.crush

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json N/A N/A
N/A /data/user/0/estate.cake.crush/app_DynamicOptDex/pMO.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

estate.cake.crush

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 somsombaba.xyz udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/data/estate.cake.crush/app_DynamicOptDex/pMO.json

MD5 2e04f11062c2bbda6c3cdcf0a6fae086
SHA1 b4cb7d9433108de2675e01097402d853fc332d39
SHA256 281129f92d402aa2b5884e597eda60027d5695efd859b29cc3e59bd88c06f6b7
SHA512 3b616084fadcbe0f78272b934939dd30fa8481042de58307dc299af2250fd158a3610366863597674335b624d6c1e9d922729760f33f0e989ad7f75670d0936e

/data/data/estate.cake.crush/app_DynamicOptDex/pMO.json

MD5 a81b540a1b6225eb86374cf85db257bf
SHA1 76f878e135cea17e3a7e3e7808e4be1b774a30ea
SHA256 cc76bfd537f15a42f05eadbffab3284bf030cc7e9b7eb339598d42c832f76ebb
SHA512 80a949eb2207193b9981270c18df16fff854e2d8a6e4351bbe91541d36077bb834a76a3234d8ae0dd2058ad8e034ee88e366820ac6d0ce9be9613cd4e4202e0d

/data/data/estate.cake.crush/app_DynamicOptDex/oat/pMO.json.cur.prof

MD5 275cb91f10757917fa690ef62c1a494c
SHA1 a985f53b621cb56ed0e5fda58a97c3ff982ec7f7
SHA256 b519ccb447844ae6d0393bec68bfa651797c5fda108745f98b7f9afcd1e7699f
SHA512 168f9226cb204f312f52afd05e7ec32b38a75f714c639625160bc498feaa0a53312a1b77a5bf858ae75f50f95bbbee03c71cfdb5b06fba21a94227d36619fa2a