Malware Analysis Report

2025-01-19 05:12

Sample ID 241130-1w8cba1lgm
Target 63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.bin
SHA256 63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316

Threat Level: Known bad

The file 63e3a5ac3c464dcf9966b47f05a5d5be8e0f973bbb62921061d620355a371316.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus

Cerberus family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 22:01

Reported

2024-11-30 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

87s

Max time network

130s

Command Line

com.lemon.payment

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json N/A N/A
N/A /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lemon.payment

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.lemon.payment/app_DynamicOptDex/oat/x86/Buqw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 195.179.237.77:443 freeiconshop.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp

Files

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 5e05a69c0310aff5d6da40dfed271314
SHA1 aa931b7a7c800e4d81196ad32624e734735ed02b
SHA256 0b3c91d692738d9f5290284bceb423aca397277d28356cb1bc413d5aae196b76
SHA512 adb40c6eb48853f0ab3dc05bc4e97ced0c49c2572d995ff0f3c6848558d0d540fa6dd9a400116556261598f7a3ce807ebd97fb0a87a566a80e9e4197fc069061

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 dacf14beab828d9256fab88924a26f92
SHA1 bbfd21cf20d140b0cfbc6ee00b11f5e67103fe23
SHA256 5f3e2f83f830f7199a75ce044291ec0c77d7d16dbcc93c5320a745bd0abd54f3
SHA512 16b19bb4b58ceb75a91e8b8684cac4f03b358abb0c77238fe6796d625d0dfdd8d8830e4be0b166e01df7340f9a98dcb8f6dc96b102719e86ae2160a0bd3cdd9b

/data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 370fc68e8cef471d04059b898b87ed9b
SHA1 6689293719b8321c3ccae3d4ff4a73b98ba674d9
SHA256 ed4241d9f7bdaf0d32bed0f098d0c8ef84bac527c19239f5a1881932cb68f198
SHA512 edefae1284e11946d5b25a1ab56159bc93f492dd72457aeeff4bc8d93bf7c94692e1185a6aaf21a30d007328db7f21ee7386303c38d55e3b55a0c760b153e255

/data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 c8298b987ead5a31f05d4c6735f677be
SHA1 8ea1e79b8a6a3946dd35777d5a48ee1f45ad1f73
SHA256 16447da922f3f20f6d1ae0ff76fff15965821a0a734ebf19b5d8b04db1c1a370
SHA512 12a8e0e10d627cd17e5f77a153d51bae01659fc631a83ed34628145cfa28eb25799b8ccc152c602d0ba0fc0577c49bd7d3ec411d4874e257e71e9ca00da9dc9e

/data/data/com.lemon.payment/app_DynamicOptDex/oat/Buqw.json.cur.prof

MD5 837afd9e9360cf919c71c930c9349107
SHA1 e2db0641e0924230685b4e4470eb4cbf9c91af3d
SHA256 69b11fb7536b7202b83d0e0ef1ba677569083fbef17368de27eda68b734deab2
SHA512 381e33f51a23dc7728c23a0ef76c2ceb48581278341efc79252bd03c68070ca1dd5fbb2f105d2cead1a4932a176f793e6d95e10df75916f92d967e6b0f079e03

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 22:01

Reported

2024-11-30 22:03

Platform

android-x64-20240910-en

Max time kernel

43s

Max time network

152s

Command Line

com.lemon.payment

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lemon.payment

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp

Files

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 5e05a69c0310aff5d6da40dfed271314
SHA1 aa931b7a7c800e4d81196ad32624e734735ed02b
SHA256 0b3c91d692738d9f5290284bceb423aca397277d28356cb1bc413d5aae196b76
SHA512 adb40c6eb48853f0ab3dc05bc4e97ced0c49c2572d995ff0f3c6848558d0d540fa6dd9a400116556261598f7a3ce807ebd97fb0a87a566a80e9e4197fc069061

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 dacf14beab828d9256fab88924a26f92
SHA1 bbfd21cf20d140b0cfbc6ee00b11f5e67103fe23
SHA256 5f3e2f83f830f7199a75ce044291ec0c77d7d16dbcc93c5320a745bd0abd54f3
SHA512 16b19bb4b58ceb75a91e8b8684cac4f03b358abb0c77238fe6796d625d0dfdd8d8830e4be0b166e01df7340f9a98dcb8f6dc96b102719e86ae2160a0bd3cdd9b

/data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 370fc68e8cef471d04059b898b87ed9b
SHA1 6689293719b8321c3ccae3d4ff4a73b98ba674d9
SHA256 ed4241d9f7bdaf0d32bed0f098d0c8ef84bac527c19239f5a1881932cb68f198
SHA512 edefae1284e11946d5b25a1ab56159bc93f492dd72457aeeff4bc8d93bf7c94692e1185a6aaf21a30d007328db7f21ee7386303c38d55e3b55a0c760b153e255

/data/data/com.lemon.payment/app_DynamicOptDex/oat/Buqw.json.cur.prof

MD5 c5d8dff0238daf19b49a74466247b049
SHA1 b6b96467faf66a279df53ebde21b64df040b79d8
SHA256 4f20e9dc1e5350a0aab022378fe5f84db826b9e94287a6ac85ce6d236f1fac60
SHA512 1f597b6f0282af852d24a58015b5cbd06c1ca594fe457c988f8d1108c8db28e47f2e33f7f2e76a210398c430ffb9324f218ecd95517b7ad94c623ecf222c621a

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-30 22:01

Reported

2024-11-30 22:03

Platform

android-x64-arm64-20240910-en

Max time kernel

36s

Max time network

157s

Command Line

com.lemon.payment

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lemon.payment

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 104.21.33.28:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 172.217.169.66:443 tcp
GB 172.217.16.230:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 5e05a69c0310aff5d6da40dfed271314
SHA1 aa931b7a7c800e4d81196ad32624e734735ed02b
SHA256 0b3c91d692738d9f5290284bceb423aca397277d28356cb1bc413d5aae196b76
SHA512 adb40c6eb48853f0ab3dc05bc4e97ced0c49c2572d995ff0f3c6848558d0d540fa6dd9a400116556261598f7a3ce807ebd97fb0a87a566a80e9e4197fc069061

/data/data/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 dacf14beab828d9256fab88924a26f92
SHA1 bbfd21cf20d140b0cfbc6ee00b11f5e67103fe23
SHA256 5f3e2f83f830f7199a75ce044291ec0c77d7d16dbcc93c5320a745bd0abd54f3
SHA512 16b19bb4b58ceb75a91e8b8684cac4f03b358abb0c77238fe6796d625d0dfdd8d8830e4be0b166e01df7340f9a98dcb8f6dc96b102719e86ae2160a0bd3cdd9b

/data/user/0/com.lemon.payment/app_DynamicOptDex/Buqw.json

MD5 370fc68e8cef471d04059b898b87ed9b
SHA1 6689293719b8321c3ccae3d4ff4a73b98ba674d9
SHA256 ed4241d9f7bdaf0d32bed0f098d0c8ef84bac527c19239f5a1881932cb68f198
SHA512 edefae1284e11946d5b25a1ab56159bc93f492dd72457aeeff4bc8d93bf7c94692e1185a6aaf21a30d007328db7f21ee7386303c38d55e3b55a0c760b153e255