Malware Analysis Report

2025-01-19 05:13

Sample ID 241130-cxejmaskaq
Target b46a0305dfbcb341dad439a88cd67c56_JaffaCakes118
SHA256 29149f72818601df2e9df222a3167c832e9c4caf0d9e9c281889336200d68dd7
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29149f72818601df2e9df222a3167c832e9c4caf0d9e9c281889336200d68dd7

Threat Level: Known bad

The file b46a0305dfbcb341dad439a88cd67c56_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus family

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 02:27

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 02:27

Reported

2024-11-30 02:29

Platform

android-x86-arm-20240624-en

Max time kernel

135s

Max time network

144s

Command Line

raven.tenant.forum

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

raven.tenant.forum

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/raven.tenant.forum/app_DynamicOptDex/oat/x86/rWQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ratrentalservice.com udp

Files

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 3f39379292e5fc636eb29371ba013bd2
SHA1 091c69d1fda980b18ea7c2a413ddde7ec5854137
SHA256 8982186196bcc0a336386d27d4c3de1c3e43b10aad0fecbecd706160b9cbd117
SHA512 67f7e0e44c53ce9dff01f0be087b508a3f7f25761e1c23b5e61acbfc8b9c32d4625c552a1c72d2fc10e805179028eabf0fb7871246086ecca685d717ef0476f9

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 d03fead3b34e2fc98d5e1f86a53eb5c3
SHA1 6d8a9a7939c518ffde2528a42e9e37a816dc41d6
SHA256 58c75abc38546efd7237941d1c9732fe6c65dfd56852eb2cb633f22859203a46
SHA512 4921f1bdf7f20ad63f00f7e38dd97f30c6e3c9d59d7a41fc3fa848f0d48aaff048c5f1e104e2fbec7f0307fedb000e0920e604859bf8ef55d652ef224e1d9702

/data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 83de487436714916327ad33fc2ffa7cb
SHA1 478b1a093824c40e7dc5f6b88650d06cf2362d4b
SHA256 e8977f529770998108569031f4a93513de6aa2426963d6cd9c2643d7bd420aae
SHA512 f41f063c637689ba1514b25a102a92292f21db3211c2fd102a4549fbe9c8c990d95e7f5ca55b29ab62a1eea26f7f7c4d9e1571ec9b2671af69b7b3f077ca4491

/data/data/raven.tenant.forum/app_DynamicOptDex/oat/rWQ.json.cur.prof

MD5 aa68d8f19499e74389a1123b26591f6f
SHA1 6d12787b0ff5c5f0359afe5d3170c50b8868a3c8
SHA256 99ec076fd4b5683c3c761d3f8213cbd1bf5508e724bbc60449c3182437a002ef
SHA512 070c903e5e4d98da78c5b1536bfff7a2cd13d8ad7873e81a67492d981e4c0c958acd20f97de44350d7e7e91e6725f08df3b35de4079d203c93336060724053be

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 02:27

Reported

2024-11-30 02:29

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

152s

Command Line

raven.tenant.forum

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A
N/A /data/user/0/raven.tenant.forum/app_DynamicOptDex/rWQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

raven.tenant.forum

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ratrentalservice.com udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 3f39379292e5fc636eb29371ba013bd2
SHA1 091c69d1fda980b18ea7c2a413ddde7ec5854137
SHA256 8982186196bcc0a336386d27d4c3de1c3e43b10aad0fecbecd706160b9cbd117
SHA512 67f7e0e44c53ce9dff01f0be087b508a3f7f25761e1c23b5e61acbfc8b9c32d4625c552a1c72d2fc10e805179028eabf0fb7871246086ecca685d717ef0476f9

/data/data/raven.tenant.forum/app_DynamicOptDex/rWQ.json

MD5 d03fead3b34e2fc98d5e1f86a53eb5c3
SHA1 6d8a9a7939c518ffde2528a42e9e37a816dc41d6
SHA256 58c75abc38546efd7237941d1c9732fe6c65dfd56852eb2cb633f22859203a46
SHA512 4921f1bdf7f20ad63f00f7e38dd97f30c6e3c9d59d7a41fc3fa848f0d48aaff048c5f1e104e2fbec7f0307fedb000e0920e604859bf8ef55d652ef224e1d9702

/data/data/raven.tenant.forum/app_DynamicOptDex/oat/rWQ.json.cur.prof

MD5 cf2140c50a0e0c5a140c27b06a696607
SHA1 bff9963f0362f7fa5f8d8d25f73bf62bea4af1e7
SHA256 b2935b39177e0cba51cd4b3f7d29f3416f01e1b2ffecf2245c3a96b65f1f8e9c
SHA512 8f002fce243c16aedba4ea2f34580cf4efb04fce651c93b202fc0316dcf3f5217de4d146bd048afd4dd1bb01081edbba83d26fdf425d13f20fbfd2d1910e939b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-30 02:27

Reported

2024-11-30 02:27

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A