Malware Analysis Report

2025-01-19 05:13

Sample ID 241210-1w1mgawmel
Target 9c7afcaff754719f597a43b13575dfe4eb8d0af733734b19f9acff0ae772019c.bin
SHA256 9c7afcaff754719f597a43b13575dfe4eb8d0af733734b19f9acff0ae772019c
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c7afcaff754719f597a43b13575dfe4eb8d0af733734b19f9acff0ae772019c

Threat Level: Known bad

The file 9c7afcaff754719f597a43b13575dfe4eb8d0af733734b19f9acff0ae772019c.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation

Cerberus family

Cerberus

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests changing the default SMS application.

Declares broadcast receivers with permission to handle system events

Tries to add a device administrator.

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 22:00

Reported

2024-12-10 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

79s

Max time network

131s

Command Line

com.clarify.aim

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json N/A N/A
N/A /data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.clarify.aim

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.clarify.aim/app_DynamicOptDex/oat/x86/FgoFXgf.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/data/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 dd6d1413bb86b7f93b4a652becc9810c
SHA1 74c7981d5439a77077e6c4029fc9db6e48ad0c1b
SHA256 c1a4499285b7ab62233bb727fcbf2d2ed95497bf72a95a28628108cd7ec133d5
SHA512 e39cdfc5656567a136d73dcf476f309b263fc6e863afd0fc98e6a5c74a58ed63eb60e897373e4275a5d6d402f1bca0d3c017f8eb866d480b280382cc44dd7257

/data/data/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 e2ecc7206be385fe5a895df5a4354013
SHA1 9a7554de566ec08282fce8a5a99759cd0b31d809
SHA256 93b334d6fb09146ce9b51f719fdfdfc27d5f787fb171822f7b01f0f4bb509ccc
SHA512 822e979a7b984173390445e435f0b71ed6974e1b060afb62245da860663dbb53f2c0e4ce92c402527956199cc2e2bbf10be7a92b070ca6938459ee23c52e9b04

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 9dfa580aa93694ae97b83ecb5cfa9ff5
SHA1 b17c51cbd1dad8b069e2ac3adab7fccfd6bd624f
SHA256 caaa953fc8d5eb5d2cbac6e280ed76c7e3ddaa2f0f4eb2ed5e7d58b7b7015ddf
SHA512 22c51103d9bdf7997ccb6557c92613f431b9c643a1825d4264fd4767a0f1f8e66b8f2719ccbcda1bf5aae2c9448729212e722b6d9091a4f1c7eb6cb6bdb034fb

/data/data/com.clarify.aim/app_DynamicOptDex/oat/FgoFXgf.json.cur.prof

MD5 fe81deb002e338e9ff58a63251c3ea0a
SHA1 e6e45cec96f142b3edcd9c7770bc70b70063ae12
SHA256 c2af921b192a222af2cf760378d030e105b2923526cb8031cd255d023bcbc229
SHA512 117309bcc86fb23c548efc47b341700ea96988861997c55e6ae01f9e0cc854f0a824bea7677b01529df14aa8b8a74899a09fe033f758d935a1168060f6c62b70

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-10 22:00

Reported

2024-12-10 22:03

Platform

android-x64-20240624-en

Max time kernel

69s

Max time network

150s

Command Line

com.clarify.aim

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.clarify.aim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 94.250.253.26:80 94.250.253.26 tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/data/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 dd6d1413bb86b7f93b4a652becc9810c
SHA1 74c7981d5439a77077e6c4029fc9db6e48ad0c1b
SHA256 c1a4499285b7ab62233bb727fcbf2d2ed95497bf72a95a28628108cd7ec133d5
SHA512 e39cdfc5656567a136d73dcf476f309b263fc6e863afd0fc98e6a5c74a58ed63eb60e897373e4275a5d6d402f1bca0d3c017f8eb866d480b280382cc44dd7257

/data/data/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 e2ecc7206be385fe5a895df5a4354013
SHA1 9a7554de566ec08282fce8a5a99759cd0b31d809
SHA256 93b334d6fb09146ce9b51f719fdfdfc27d5f787fb171822f7b01f0f4bb509ccc
SHA512 822e979a7b984173390445e435f0b71ed6974e1b060afb62245da860663dbb53f2c0e4ce92c402527956199cc2e2bbf10be7a92b070ca6938459ee23c52e9b04

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/data/com.clarify.aim/app_DynamicOptDex/oat/FgoFXgf.json.cur.prof

MD5 550245fd57411619c49dad0c021af856
SHA1 9bfb8ab4e1f799a50a9fcf3cfaff4b19e1b8ba2a
SHA256 21aa55908f36f469895cf59c490454cd63e51975ac96d9fe1639d905f38d28cd
SHA512 232cc5e546aacbe9d51a451cae6b36db82b08d0540e9b05c90fa179ad9d552174a347c132d261cff2b2444b2a09ac91b8ef9bf0e99bb435fdeb73b1b1f565114

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-10 22:00

Reported

2024-12-10 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

105s

Max time network

155s

Command Line

com.clarify.aim

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.clarify.aim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 dd6d1413bb86b7f93b4a652becc9810c
SHA1 74c7981d5439a77077e6c4029fc9db6e48ad0c1b
SHA256 c1a4499285b7ab62233bb727fcbf2d2ed95497bf72a95a28628108cd7ec133d5
SHA512 e39cdfc5656567a136d73dcf476f309b263fc6e863afd0fc98e6a5c74a58ed63eb60e897373e4275a5d6d402f1bca0d3c017f8eb866d480b280382cc44dd7257

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 e2ecc7206be385fe5a895df5a4354013
SHA1 9a7554de566ec08282fce8a5a99759cd0b31d809
SHA256 93b334d6fb09146ce9b51f719fdfdfc27d5f787fb171822f7b01f0f4bb509ccc
SHA512 822e979a7b984173390445e435f0b71ed6974e1b060afb62245da860663dbb53f2c0e4ce92c402527956199cc2e2bbf10be7a92b070ca6938459ee23c52e9b04

/data/user/0/com.clarify.aim/app_DynamicOptDex/FgoFXgf.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/user/0/com.clarify.aim/app_DynamicOptDex/oat/FgoFXgf.json.cur.prof

MD5 57c28f09c25d4f928a4efabe66c5d363
SHA1 650354753a364dc507e6929a1b37c251dd419998
SHA256 165e62da98086de95a140ef0daa97e22623f8ba51b49266654310bd7b6d33f04
SHA512 6e2dd2498dae5d6faf6c57ce632f8c7dbb631347cf39083dded05f183ccc56c76a284466521889f03def7a13520287de6c7279901d0163c1d70c98460443cce2