Malware Analysis Report

2025-01-19 05:13

Sample ID 241209-1yfp3ssrbw
Target 25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4.bin
SHA256 25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4

Threat Level: Known bad

The file 25843b325b72bba00ab68ca7f2a7819422ed7c6598d4be58b1688c5567c91ac4.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus

Cerberus family

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-09 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-09 22:03

Reported

2024-12-09 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

139s

Max time network

147s

Command Line

com.receive.program

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.receive.program/app_DynamicOptDex/FE.json N/A N/A
N/A /data/user/0/com.receive.program/app_DynamicOptDex/FE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.receive.program

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.receive.program/app_DynamicOptDex/FE.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.receive.program/app_DynamicOptDex/oat/x86/FE.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 195.179.237.77:443 freeiconshop.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp

Files

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 3afecd791a5ec231e56464dc0832c647
SHA1 2fc1bc7ec07138f4fcab373afc4abd10e9c90ddd
SHA256 6e2e7a320fd76f250dd11232154ee373a6ae1398fe6bfba4530def8e7f352b7a
SHA512 758224b59429237a98c33d690320a50a20eb86145d8a6023145e9e4568bf06cc11356a3a32d78c287100d95c1037c7b234eee6d112b72afce5d90f9ee33b77b4

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 eb41ecd1380c23173db98610d7ebaf37
SHA1 3b09693ee38665e76ede0d35ce82c0c964b5ad12
SHA256 c0b0e145ce681b926784e2e081d6790f9044e1926d5cdd4bb9faadca44b8ce1f
SHA512 6b4b3b3c9ec9a54aa625065226be32e7e2e95226f0257bccd9499a5ce1635c9e213d01b1167de408e4e5b599678e08cac8b5b24c4a2926ff5b709ac110197801

/data/user/0/com.receive.program/app_DynamicOptDex/FE.json

MD5 911666e22b82ead3521944d11a49f578
SHA1 ccfca261159f1e77b4bc6f6f751e052425e0488f
SHA256 e5bbf12da75f5fa65858f9eba99922c742723e2c6206ee7568f0c16cc4ce6289
SHA512 fe2fc73c2fa4156f3d03bffd95bf53d464b520feb3318f4c403e5ea63b71f0cae3b48750398b90e8f75bd00d0a73db758db2cef3733fa6c16294c62bdd61b7e7

/data/user/0/com.receive.program/app_DynamicOptDex/FE.json

MD5 df6211df98c22223168d126c9b1c1b67
SHA1 d075af69730122a1d1539e2069c6ce5356a09191
SHA256 cd75fc44815016efd4ad7b6b66f45a525d4304f3f8b4fdfda28ed3832be596c8
SHA512 76c6127f9795960ceb4d70ae7fbfa899239fc6a5665c62367e3d650d0d5b3b51b9aaf577e6639513cf2c52d8c843a60aaa03230503989d3bbed7e10ae6129833

/data/data/com.receive.program/app_DynamicOptDex/oat/FE.json.cur.prof

MD5 c59df11aa6929d308addd73eb0adb746
SHA1 147d7d954fbdcfb3abc5531ef3671b43d4717dc0
SHA256 6ce45bcebe0c070182a3fcca26c5cb4d5a62750f898fe8dc7f4edc4eb096b9fa
SHA512 d2c571c4b6d5db10e186471c211eb0588f106a0fc5371a22a1b4b251d6ea16d4891ac0cd014a14f9c5359c57e3b30226c511ac18b1d9502ada815a3831e4549e

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-09 22:03

Reported

2024-12-09 22:05

Platform

android-x64-20240910-en

Max time kernel

43s

Max time network

152s

Command Line

com.receive.program

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.receive.program/app_DynamicOptDex/FE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.receive.program

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 195.179.237.77:443 freeiconshop.com tcp
US 104.21.33.28:443 pngimage.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 216.58.201.98:443 tcp
GB 51.195.150.249:80 51.195.150.249 tcp

Files

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 3afecd791a5ec231e56464dc0832c647
SHA1 2fc1bc7ec07138f4fcab373afc4abd10e9c90ddd
SHA256 6e2e7a320fd76f250dd11232154ee373a6ae1398fe6bfba4530def8e7f352b7a
SHA512 758224b59429237a98c33d690320a50a20eb86145d8a6023145e9e4568bf06cc11356a3a32d78c287100d95c1037c7b234eee6d112b72afce5d90f9ee33b77b4

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 eb41ecd1380c23173db98610d7ebaf37
SHA1 3b09693ee38665e76ede0d35ce82c0c964b5ad12
SHA256 c0b0e145ce681b926784e2e081d6790f9044e1926d5cdd4bb9faadca44b8ce1f
SHA512 6b4b3b3c9ec9a54aa625065226be32e7e2e95226f0257bccd9499a5ce1635c9e213d01b1167de408e4e5b599678e08cac8b5b24c4a2926ff5b709ac110197801

/data/user/0/com.receive.program/app_DynamicOptDex/FE.json

MD5 911666e22b82ead3521944d11a49f578
SHA1 ccfca261159f1e77b4bc6f6f751e052425e0488f
SHA256 e5bbf12da75f5fa65858f9eba99922c742723e2c6206ee7568f0c16cc4ce6289
SHA512 fe2fc73c2fa4156f3d03bffd95bf53d464b520feb3318f4c403e5ea63b71f0cae3b48750398b90e8f75bd00d0a73db758db2cef3733fa6c16294c62bdd61b7e7

/data/data/com.receive.program/app_DynamicOptDex/oat/FE.json.cur.prof

MD5 77c399cbedfb5fb8cacb97262a4d30c3
SHA1 8a1ca30072aec95dea2b9836df695534926a3231
SHA256 0aba06cb23f1f870d42e2686ea2722934be105a1e273e988280057a562917c41
SHA512 0cf0eb6875247842a18e00d33a7e1fe4796c6deb9dfc96d3d9610465417d1d0702a1f4f7c43d32c82307ab7a6ce77fad2ba9b0987a940d3bc7f045939915aba5

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-09 22:03

Reported

2024-12-09 22:05

Platform

android-x64-arm64-20240624-en

Max time kernel

61s

Max time network

148s

Command Line

com.receive.program

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.receive.program/app_DynamicOptDex/FE.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.receive.program/app_DynamicOptDex/FE.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.receive.program/app_DynamicOptDex/FE.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.receive.program

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 195.179.237.77:443 freeiconshop.com tcp
US 104.21.33.28:443 pngimage.net tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp
GB 51.195.150.249:80 51.195.150.249 tcp

Files

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 3afecd791a5ec231e56464dc0832c647
SHA1 2fc1bc7ec07138f4fcab373afc4abd10e9c90ddd
SHA256 6e2e7a320fd76f250dd11232154ee373a6ae1398fe6bfba4530def8e7f352b7a
SHA512 758224b59429237a98c33d690320a50a20eb86145d8a6023145e9e4568bf06cc11356a3a32d78c287100d95c1037c7b234eee6d112b72afce5d90f9ee33b77b4

/data/data/com.receive.program/app_DynamicOptDex/FE.json

MD5 eb41ecd1380c23173db98610d7ebaf37
SHA1 3b09693ee38665e76ede0d35ce82c0c964b5ad12
SHA256 c0b0e145ce681b926784e2e081d6790f9044e1926d5cdd4bb9faadca44b8ce1f
SHA512 6b4b3b3c9ec9a54aa625065226be32e7e2e95226f0257bccd9499a5ce1635c9e213d01b1167de408e4e5b599678e08cac8b5b24c4a2926ff5b709ac110197801

/data/user/0/com.receive.program/app_DynamicOptDex/FE.json

MD5 911666e22b82ead3521944d11a49f578
SHA1 ccfca261159f1e77b4bc6f6f751e052425e0488f
SHA256 e5bbf12da75f5fa65858f9eba99922c742723e2c6206ee7568f0c16cc4ce6289
SHA512 fe2fc73c2fa4156f3d03bffd95bf53d464b520feb3318f4c403e5ea63b71f0cae3b48750398b90e8f75bd00d0a73db758db2cef3733fa6c16294c62bdd61b7e7

/data/data/com.receive.program/app_DynamicOptDex/oat/FE.json.cur.prof

MD5 2f305480f776fbe5cd020c7cf62b017e
SHA1 2e5359be0a38143a471c35f374ea94fb612d6151
SHA256 c58ff8c129b58337b4356814e12df6073d3b71e63b9f2c1154cc1922ad932d2b
SHA512 22b9617f74634c8f3e4722534ee49f3caffdefd2cd04344c6e44604ea6b589d84d361aeebe06e8cebcc9e73b1763d2a9f7087fee46582c18aa5930117f8c080b