Malware Analysis Report

2025-01-19 05:13

Sample ID 241130-16v5qsxkdw
Target 40160ca2c099cba41d296b813a067a40c8ad81a78bf4f51e45078e998a6da808.bin
SHA256 40160ca2c099cba41d296b813a067a40c8ad81a78bf4f51e45078e998a6da808
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40160ca2c099cba41d296b813a067a40c8ad81a78bf4f51e45078e998a6da808

Threat Level: Known bad

The file 40160ca2c099cba41d296b813a067a40c8ad81a78bf4f51e45078e998a6da808.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat trojan impact

Cerberus family

Cerberus

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 22:16

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 22:16

Reported

2024-11-30 22:18

Platform

android-x86-arm-20240910-en

Max time kernel

38s

Max time network

151s

Command Line

com.artist.essence

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json N/A N/A
N/A /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.artist.essence

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.artist.essence/app_DynamicOptDex/oat/x86/ifnh.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 icons.iconarchive.com udp
US 1.1.1.1:53 icons.iconarchive.com udp
US 1.1.1.1:53 icons.iconarchive.com udp
US 104.21.235.214:443 icons.iconarchive.com tcp
US 1.1.1.1:53 vamosaversisalealgodeaqui1762.shop udp
GB 142.250.200.2:443 tcp

Files

/data/data/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 6d1e2033eb295c10751e646ec47f6bdc
SHA1 1c84f5e13ff3366d3dfd6ab3ae4af57e3bb0bf7a
SHA256 ee481694546e458f1f08cf398a342221f0561ef21e7087b5f2887d96af13e14d
SHA512 2c6a66eb3f033cacf3bd42398db4be2ad183d143b7c8b7d7210a28bd543fc542c3b13cbb1322d88224d860d6f4d446670647240f454ebb8a3b705c74dea5c656

/data/data/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 2dddeeea5e3767e35d7ffd87b74ab0eb
SHA1 e541c08ec9e571a49db62111c12ed822a82be8d2
SHA256 2ffa7a93f00f53129669786e3d0cfdd22b4098fbdf61579956726a794ae84f6d
SHA512 b3705dc2c3df1c3b0f6e0b49becb84e1eb5333f9fb341579be255b935449399ac73ea3ffa35f580b02da451cffdcc91b0ae798728d46281ee7f46fc075a0eaef

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 4106683f9a42bad514258325c73ab227
SHA1 ca59630b1ccf9914573d0a3c5fc3ff5c4b65ad29
SHA256 514570a8efc9a3b8b0c5ad02c8bc10496b70cf14f9a5daf77cb7d1a55aa20678
SHA512 e5cd0c22797bd482ce6d67eba3ee79627319f645cf73c1872d88c6d41a62a356696a7671d8c66de9be565772d104df2418a6b7db1c1d7216d64757c50452818e

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 3f7b08b27d11cdd1a6d206b0f22d5446
SHA1 1fabcfd40d870afe03eb732b0f41375b3ad1fc23
SHA256 1a7d9b7921f251dd227889e95b877bd8178d65ab5a76ab417a75597368dd5bbc
SHA512 5fafec65de79ef527d8e6b9f96e09ebbf2818d02fe6743789b67187b2aa0ba3aa88297d7e1419cdf277eb37b6d1d8b04d942d2513052e21ebf92489a6b7ec9d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 22:16

Reported

2024-11-30 22:18

Platform

android-x64-20240624-en

Max time kernel

47s

Max time network

155s

Command Line

com.artist.essence

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.artist.essence

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 icons.iconarchive.com udp
US 104.21.235.213:443 icons.iconarchive.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 vamosaversisalealgodeaqui1762.shop udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 6d1e2033eb295c10751e646ec47f6bdc
SHA1 1c84f5e13ff3366d3dfd6ab3ae4af57e3bb0bf7a
SHA256 ee481694546e458f1f08cf398a342221f0561ef21e7087b5f2887d96af13e14d
SHA512 2c6a66eb3f033cacf3bd42398db4be2ad183d143b7c8b7d7210a28bd543fc542c3b13cbb1322d88224d860d6f4d446670647240f454ebb8a3b705c74dea5c656

/data/data/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 2dddeeea5e3767e35d7ffd87b74ab0eb
SHA1 e541c08ec9e571a49db62111c12ed822a82be8d2
SHA256 2ffa7a93f00f53129669786e3d0cfdd22b4098fbdf61579956726a794ae84f6d
SHA512 b3705dc2c3df1c3b0f6e0b49becb84e1eb5333f9fb341579be255b935449399ac73ea3ffa35f580b02da451cffdcc91b0ae798728d46281ee7f46fc075a0eaef

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 4106683f9a42bad514258325c73ab227
SHA1 ca59630b1ccf9914573d0a3c5fc3ff5c4b65ad29
SHA256 514570a8efc9a3b8b0c5ad02c8bc10496b70cf14f9a5daf77cb7d1a55aa20678
SHA512 e5cd0c22797bd482ce6d67eba3ee79627319f645cf73c1872d88c6d41a62a356696a7671d8c66de9be565772d104df2418a6b7db1c1d7216d64757c50452818e

/data/data/com.artist.essence/app_DynamicOptDex/oat/ifnh.json.cur.prof

MD5 fa28f2e9d3b13747a2a24b4a358d5192
SHA1 593588b152b00b5bef9962ed35172100c9a11a66
SHA256 e94da4952cab7dd3f851f2f8acc0833847f02a878071b20ac7cbb05c5f5a7cb7
SHA512 fae7fef7d8be1b22eeb7cf4d81758a3e9590a68add1694b16b22dbe57fc25e3d09f72ffabf445ec218b5191bf371190e477c8b95d6f3351aeabe561dd1627d4c

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-30 22:16

Reported

2024-11-30 22:18

Platform

android-x64-arm64-20240910-en

Max time kernel

37s

Max time network

151s

Command Line

com.artist.essence

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.artist.essence

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 icons.iconarchive.com udp
US 104.21.235.213:443 icons.iconarchive.com tcp
US 1.1.1.1:53 vamosaversisalealgodeaqui1762.shop udp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 6d1e2033eb295c10751e646ec47f6bdc
SHA1 1c84f5e13ff3366d3dfd6ab3ae4af57e3bb0bf7a
SHA256 ee481694546e458f1f08cf398a342221f0561ef21e7087b5f2887d96af13e14d
SHA512 2c6a66eb3f033cacf3bd42398db4be2ad183d143b7c8b7d7210a28bd543fc542c3b13cbb1322d88224d860d6f4d446670647240f454ebb8a3b705c74dea5c656

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 2dddeeea5e3767e35d7ffd87b74ab0eb
SHA1 e541c08ec9e571a49db62111c12ed822a82be8d2
SHA256 2ffa7a93f00f53129669786e3d0cfdd22b4098fbdf61579956726a794ae84f6d
SHA512 b3705dc2c3df1c3b0f6e0b49becb84e1eb5333f9fb341579be255b935449399ac73ea3ffa35f580b02da451cffdcc91b0ae798728d46281ee7f46fc075a0eaef

/data/user/0/com.artist.essence/app_DynamicOptDex/ifnh.json

MD5 4106683f9a42bad514258325c73ab227
SHA1 ca59630b1ccf9914573d0a3c5fc3ff5c4b65ad29
SHA256 514570a8efc9a3b8b0c5ad02c8bc10496b70cf14f9a5daf77cb7d1a55aa20678
SHA512 e5cd0c22797bd482ce6d67eba3ee79627319f645cf73c1872d88c6d41a62a356696a7671d8c66de9be565772d104df2418a6b7db1c1d7216d64757c50452818e