Malware Analysis Report

2025-01-19 05:13

Sample ID 241203-161p8aspbl
Target ea35a3573f84a4e2347b5aa0fb5f9eb94117c7fc14dfc01e6b381742458d4f2f.bin
SHA256 ea35a3573f84a4e2347b5aa0fb5f9eb94117c7fc14dfc01e6b381742458d4f2f
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea35a3573f84a4e2347b5aa0fb5f9eb94117c7fc14dfc01e6b381742458d4f2f

Threat Level: Known bad

The file ea35a3573f84a4e2347b5aa0fb5f9eb94117c7fc14dfc01e6b381742458d4f2f.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus family

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 22:16

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

67s

Max time network

155s

Command Line

com.salad.quiz

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json N/A N/A
N/A /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.salad.quiz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.salad.quiz/app_DynamicOptDex/oat/x86/AfhPW.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 c90752001e25a379d1ffe910f6c871b1
SHA1 84f5427fbc7fac276fbc677964e49292fe0112af
SHA256 41ec07fc5489948b037a5ba9589ad336568f09697873eda471fb2e8115a0a689
SHA512 306117269811c1e206aa40a4bf55d7e820ac6d690a021b3e5c5b1fcac18b7d813f89b17b0fc71c1147bfcb9780e255d755fcf044ff8ba986782d252b5d36414d

/data/data/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 44bb977c1c70207ce20a045349a9913c
SHA1 261cf17fd8a4cd5a780dac485934692d51bb2753
SHA256 05b8759f1388eff765263018dd6fb878e2dc0a695a49f425fb1fcd15b3249e7b
SHA512 4e0c997d4cac3b3c0cc2ab92b60725b1c313993b34b12c3179bcec04b6a0b68386ad7fb6d40e51f0bbec89c60ded7862727ef2c77cd030400a23ba81956babab

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 262d9655c7d686d31b55aa1976061517
SHA1 5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256 df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512 b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 f65b9c2cccfe676d73f557a3f2d4cefb
SHA1 ba8ca12aded8667b7771af6230bce74b2d104cc3
SHA256 290fc2c6a696befeabb47b3b84cd2c00cf9a1ec520549f2ec33c688bc254b3af
SHA512 a5b0f6f604c11b84ca2add11cdd5c51bdf0fdf2d8208de26384440136e3760053afd394e7e1e0aeb177f7b09fb9b64fa4020a021f2f82020a8d9b409d3b319ab

/data/data/com.salad.quiz/app_DynamicOptDex/oat/AfhPW.json.cur.prof

MD5 44e95c9055abba65076c1e09d5cb797d
SHA1 0a132775442429cf80435ff8e5e1d406ebfeb813
SHA256 540a0b161fb965cab7b526e823bd77e5bdc0855d4c5b4b15ffa022cb8dbe69bc
SHA512 7f2998615abba6ffdf095b2e0285c4c3f64ae1d578f6f27350d2bc0597b127855473ef81ea5b103125dad511827374e4c70ba5a87f8eb33a8368a2d7c10135da

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x64-20240624-en

Max time kernel

74s

Max time network

150s

Command Line

com.salad.quiz

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.salad.quiz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp

Files

/data/data/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 c90752001e25a379d1ffe910f6c871b1
SHA1 84f5427fbc7fac276fbc677964e49292fe0112af
SHA256 41ec07fc5489948b037a5ba9589ad336568f09697873eda471fb2e8115a0a689
SHA512 306117269811c1e206aa40a4bf55d7e820ac6d690a021b3e5c5b1fcac18b7d813f89b17b0fc71c1147bfcb9780e255d755fcf044ff8ba986782d252b5d36414d

/data/data/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 44bb977c1c70207ce20a045349a9913c
SHA1 261cf17fd8a4cd5a780dac485934692d51bb2753
SHA256 05b8759f1388eff765263018dd6fb878e2dc0a695a49f425fb1fcd15b3249e7b
SHA512 4e0c997d4cac3b3c0cc2ab92b60725b1c313993b34b12c3179bcec04b6a0b68386ad7fb6d40e51f0bbec89c60ded7862727ef2c77cd030400a23ba81956babab

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 262d9655c7d686d31b55aa1976061517
SHA1 5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256 df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512 b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

/data/data/com.salad.quiz/app_DynamicOptDex/oat/AfhPW.json.cur.prof

MD5 df29a2f432c3680ab533994743c354b0
SHA1 b2c3410ce8eb7752b09133a68c4a81c2a67a56cb
SHA256 09a3c9ee63f794a813c12421c6753e22dccd6ab8e8f3755ac436699189f1f900
SHA512 aa60cf30f40c615f1c70616bd9e33aea9898a85ee36512044fce4239ab3c0b6c3e2eb2470ea921b2e5f2e41db243d9150bc9a70808567a28b1a9f6c20a59fcc0

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x64-arm64-20240624-en

Max time kernel

68s

Max time network

154s

Command Line

com.salad.quiz

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.salad.quiz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
RU 80.87.192.227:80 80.87.192.227 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp
RU 80.87.192.227:80 80.87.192.227 tcp

Files

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 c90752001e25a379d1ffe910f6c871b1
SHA1 84f5427fbc7fac276fbc677964e49292fe0112af
SHA256 41ec07fc5489948b037a5ba9589ad336568f09697873eda471fb2e8115a0a689
SHA512 306117269811c1e206aa40a4bf55d7e820ac6d690a021b3e5c5b1fcac18b7d813f89b17b0fc71c1147bfcb9780e255d755fcf044ff8ba986782d252b5d36414d

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 44bb977c1c70207ce20a045349a9913c
SHA1 261cf17fd8a4cd5a780dac485934692d51bb2753
SHA256 05b8759f1388eff765263018dd6fb878e2dc0a695a49f425fb1fcd15b3249e7b
SHA512 4e0c997d4cac3b3c0cc2ab92b60725b1c313993b34b12c3179bcec04b6a0b68386ad7fb6d40e51f0bbec89c60ded7862727ef2c77cd030400a23ba81956babab

/data/user/0/com.salad.quiz/app_DynamicOptDex/AfhPW.json

MD5 262d9655c7d686d31b55aa1976061517
SHA1 5f6d350e5e6ae66afee5ddddf4aceaf5dcb8899c
SHA256 df1baa0be867f09df28532c5078b0c84f1f133e5b33182143f776ae3751779b0
SHA512 b660b7636b06b2aff6e4da60346424ba6902a3e247760e211f628b0ad582d36eff04acbba3e600442a0da57449316f458643f49ff34ce82f2cc8dfbe2e8aa16b

/data/user/0/com.salad.quiz/app_DynamicOptDex/oat/AfhPW.json.cur.prof

MD5 48ab56dcc5cf0d821b5b7e8d70c893cf
SHA1 7f2e4c33e6d3b34723ecc6e00c53bd4c51af37d4
SHA256 b6581b6b9b5850c7d0c0c8c52161674ad8d12204e1b3ce11630d1163c5044486
SHA512 266d25a465f2ec723f8d9736f4ef69fe402044b7d6438463803da0a56c43cff856a089b00e7365c08457b477220ecb5cf4b58ddbccbcf05ff6952c4ac4aedf2d