Malware Analysis Report

2025-01-19 05:12

Sample ID 241201-1y2mjstpav
Target 980dd69398a42c3c57b02a8b08c63b40fb2cbe94220b33a1eb0ec863356ac454.bin
SHA256 980dd69398a42c3c57b02a8b08c63b40fb2cbe94220b33a1eb0ec863356ac454
Tags
cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

980dd69398a42c3c57b02a8b08c63b40fb2cbe94220b33a1eb0ec863356ac454

Threat Level: Known bad

The file 980dd69398a42c3c57b02a8b08c63b40fb2cbe94220b33a1eb0ec863356ac454.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer rat stealth trojan persistence

Cerberus family

Cerberus

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-01 22:04

Reported

2024-12-01 22:06

Platform

android-x64-arm64-20240910-en

Max time kernel

37s

Max time network

150s

Command Line

com.qdnessmfm.htderymmm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj (deleted) N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj (deleted) N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qdnessmfm.htderymmm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/user/0/com.qdnessmfm.htderymmm/files/insnwk.edw

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj

MD5 85d03b141a76c4b17abd6aa0d2a50e91
SHA1 73fac1bd03de582877f2858e2b7923215bcf554b
SHA256 55a377318630bf74ad20e753578f680d0fe844d9bb1ab4775aea39a3c815b5c6
SHA512 1de1159b3882424e01a76782f2913dc8f2f51b723cd061dc0d5dcdbeee44c89f3b119dc3f223a1adf188a449a2fa6b034cf11795e92bb75c980ca03f46fee7cd

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 22:04

Reported

2024-12-01 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

87s

Max time network

130s

Command Line

com.qdnessmfm.htderymmm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qdnessmfm.htderymmm

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.qdnessmfm.htderymmm/app_app_dex/oat/x86/uhkwwvw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp

Files

/data/data/com.qdnessmfm.htderymmm/files/insnwk.edw

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj

MD5 85d03b141a76c4b17abd6aa0d2a50e91
SHA1 73fac1bd03de582877f2858e2b7923215bcf554b
SHA256 55a377318630bf74ad20e753578f680d0fe844d9bb1ab4775aea39a3c815b5c6
SHA512 1de1159b3882424e01a76782f2913dc8f2f51b723cd061dc0d5dcdbeee44c89f3b119dc3f223a1adf188a449a2fa6b034cf11795e92bb75c980ca03f46fee7cd

/data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj

MD5 d88c4809ec7ee5f5cf8d3b6dc9ee23f6
SHA1 2bd90692befaf08f286a28e901e53da31e86a4ee
SHA256 d68bfed9cec5f097ef4359b938c860fd3a61dda76f7dd98912ad6327e568255c
SHA512 b6d0671b94f822d46b553f594b7737e6164386be38cecd776c21a276527c7edfcea9b6fbc7f6b6c56b02016a1ccd72270bc1f711cc1f1f88fe67c6b9a9744b9c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 22:04

Reported

2024-12-01 22:06

Platform

android-x64-20240910-en

Max time kernel

36s

Max time network

154s

Command Line

com.qdnessmfm.htderymmm

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A
N/A /data/user/0/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qdnessmfm.htderymmm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
RU 83.220.175.199:80 83.220.175.199 tcp
GB 216.58.212.226:443 tcp

Files

/data/data/com.qdnessmfm.htderymmm/files/insnwk.edw

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.qdnessmfm.htderymmm/app_app_dex/uhkwwvw.tkj

MD5 85d03b141a76c4b17abd6aa0d2a50e91
SHA1 73fac1bd03de582877f2858e2b7923215bcf554b
SHA256 55a377318630bf74ad20e753578f680d0fe844d9bb1ab4775aea39a3c815b5c6
SHA512 1de1159b3882424e01a76782f2913dc8f2f51b723cd061dc0d5dcdbeee44c89f3b119dc3f223a1adf188a449a2fa6b034cf11795e92bb75c980ca03f46fee7cd