Malware Analysis Report

2025-01-19 05:12

Sample ID 241203-1286sssmdm
Target f7a2976b4f815408f29c97d6476563a271388c386bd651cf26c02addb867087b.bin
SHA256 f7a2976b4f815408f29c97d6476563a271388c386bd651cf26c02addb867087b
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7a2976b4f815408f29c97d6476563a271388c386bd651cf26c02addb867087b

Threat Level: Known bad

The file f7a2976b4f815408f29c97d6476563a271388c386bd651cf26c02addb867087b.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation

Cerberus family

Cerberus

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Requests disabling of battery optimizations (often used to enable hiding in the background).

Tries to add a device administrator.

Requests changing the default SMS application.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 22:09

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 22:09

Reported

2024-12-03 22:12

Platform

android-x86-arm-20240910-en

Max time kernel

142s

Max time network

151s

Command Line

com.olhrkwvpe.zazvqzznb

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.olhrkwvpe.zazvqzznb

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/oat/x86/cnooisg.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 tfsmrfs.ru udp
GB 142.250.178.4:80 tcp
GB 142.250.200.35:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.olhrkwvpe.zazvqzznb/files/kodlei.dwn

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl

MD5 b4b363c197cfd9c7ea2a2cec0b0af62a
SHA1 935eed2a57293b8ca101d15c86a9f4e90228cf17
SHA256 df4dae7cbcf39c2fa2db0614f5f2691390618e7f269e0bb2619a8d03de44a2de
SHA512 42e3351f62514c00ce222ccc3ffa1752d070d293c18a5f5f830b29e751a0f72290a516a7c5190bbb5a77be544102af6994732e7275c5b5594b11ddf51d0af4b4

/data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl

MD5 a8e46ac4f58ccc93bec31a9cc39398bc
SHA1 958f539c6ad8933832df51dd9023be0c66547c68
SHA256 2b6160bc411383cd74070424a2867f6b6f233ecf9b1c9aaeef8d6392768d7b4d
SHA512 0b5f2a0c6d2ea981d3e88d35596df698ea341c7b6bb8721c67026df369b31090aee951326f50794d50023db74c7e3388820dc8060d8750ec7f12283a3cb24a8f

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 22:09

Reported

2024-12-03 22:12

Platform

android-x64-20240910-en

Max time kernel

41s

Max time network

155s

Command Line

com.olhrkwvpe.zazvqzznb

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.olhrkwvpe.zazvqzznb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tfsmrfs.ru udp

Files

/data/data/com.olhrkwvpe.zazvqzznb/files/kodlei.dwn

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/data/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl

MD5 b4b363c197cfd9c7ea2a2cec0b0af62a
SHA1 935eed2a57293b8ca101d15c86a9f4e90228cf17
SHA256 df4dae7cbcf39c2fa2db0614f5f2691390618e7f269e0bb2619a8d03de44a2de
SHA512 42e3351f62514c00ce222ccc3ffa1752d070d293c18a5f5f830b29e751a0f72290a516a7c5190bbb5a77be544102af6994732e7275c5b5594b11ddf51d0af4b4

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-03 22:09

Reported

2024-12-03 22:12

Platform

android-x64-arm64-20240624-en

Max time kernel

49s

Max time network

132s

Command Line

com.olhrkwvpe.zazvqzznb

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl (deleted) N/A N/A
N/A /data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl (deleted) N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.olhrkwvpe.zazvqzznb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tfsmrfs.ru udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.olhrkwvpe.zazvqzznb/files/kodlei.dwn

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/user/0/com.olhrkwvpe.zazvqzznb/app_app_dex/cnooisg.qdl

MD5 b4b363c197cfd9c7ea2a2cec0b0af62a
SHA1 935eed2a57293b8ca101d15c86a9f4e90228cf17
SHA256 df4dae7cbcf39c2fa2db0614f5f2691390618e7f269e0bb2619a8d03de44a2de
SHA512 42e3351f62514c00ce222ccc3ffa1752d070d293c18a5f5f830b29e751a0f72290a516a7c5190bbb5a77be544102af6994732e7275c5b5594b11ddf51d0af4b4