Malware Analysis Report

2025-01-19 05:13

Sample ID 241214-13bxpaxndm
Target f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.bin
SHA256 f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb

Threat Level: Known bad

The file f6dc913225e2d474af7351e72c3a25d1f0a19c58e4ff232f8b343c0ed3f8fccb.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus family

Cerberus

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 22:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 22:10

Reported

2024-12-14 22:12

Platform

android-x86-arm-20240910-en

Max time kernel

52s

Max time network

152s

Command Line

com.foster.grief

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.foster.grief

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 195.179.237.77:443 freeiconshop.com tcp
US 172.67.140.187:443 pngimage.net tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 a9b945418a5ca87d1afc41c4b1a69173
SHA1 9a5b6c904ad4bd6c8f3575e1143989af759bf84f
SHA256 2f4d4c0d219c339f0ced2b3cadad3ea5e0660fd768a03e1eec5c378690595593
SHA512 4e3ebea2264c3c2448cb96931575e0202213e35f4e589f951ac2b06f90f0196b5958ec06a3402c2099ccee55964d38357682130b51353d0e4d10548c5794e292

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 37bb4840349f61aadb719dcd37d80f36
SHA1 beba50a58157dace010b36b2670e23ed2eed8363
SHA256 6f7ae0980724939f70cd370d72bb519f284e9dc0a99cf84a724f320580d47281
SHA512 a75c7cfc67d26a27efc88ceddafef487ea1c40a742c1c0efc046f7efc735826fcb738178de46f088d9464537ca94a796516746620e47ce2ba5aa1648b19c039e

/data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 49066cdefd54aeb385ffe98aac837787
SHA1 03e3e6e2049c4c3f3416e552f859fc8e6dd08ade
SHA256 066f88a10f433fec31050908bec2d9a1d5810240238e1e8a3571969e7c495e97
SHA512 86a2a7d17a61bac794348dca5ce7734c499cbf81a4918b1f9af619e196070e84c34929e17ef6fc575ebe2ae2327e0d461f7e0c1baf2303f79a70f62a4dcd6853

/data/data/com.foster.grief/app_DynamicOptDex/oat/FTJZ.json.cur.prof

MD5 ce2915fa41603311d5f13a6207a9812c
SHA1 faabdfaeea1f00c550a805a1fd421fc9ebc0fbb1
SHA256 9cfe184e5eebb03fc77d586396cb9d3da325fb2acbed157382b9436cb530dab2
SHA512 8593cb7fac24aedee10babbe63cf5ea26406af984c350edd214b7c610350dd2c69624d54bd178889819d8aa4117684df310f598f70e28ed037cf117045925682

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 22:10

Reported

2024-12-14 22:12

Platform

android-x64-20240910-en

Max time kernel

43s

Max time network

153s

Command Line

com.foster.grief

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.foster.grief

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 195.179.237.77:443 freeiconshop.com tcp
US 172.67.140.187:443 pngimage.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
GB 216.58.213.2:443 tcp
US 5.78.71.159:80 5.78.71.159 tcp

Files

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 a9b945418a5ca87d1afc41c4b1a69173
SHA1 9a5b6c904ad4bd6c8f3575e1143989af759bf84f
SHA256 2f4d4c0d219c339f0ced2b3cadad3ea5e0660fd768a03e1eec5c378690595593
SHA512 4e3ebea2264c3c2448cb96931575e0202213e35f4e589f951ac2b06f90f0196b5958ec06a3402c2099ccee55964d38357682130b51353d0e4d10548c5794e292

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 37bb4840349f61aadb719dcd37d80f36
SHA1 beba50a58157dace010b36b2670e23ed2eed8363
SHA256 6f7ae0980724939f70cd370d72bb519f284e9dc0a99cf84a724f320580d47281
SHA512 a75c7cfc67d26a27efc88ceddafef487ea1c40a742c1c0efc046f7efc735826fcb738178de46f088d9464537ca94a796516746620e47ce2ba5aa1648b19c039e

/data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 49066cdefd54aeb385ffe98aac837787
SHA1 03e3e6e2049c4c3f3416e552f859fc8e6dd08ade
SHA256 066f88a10f433fec31050908bec2d9a1d5810240238e1e8a3571969e7c495e97
SHA512 86a2a7d17a61bac794348dca5ce7734c499cbf81a4918b1f9af619e196070e84c34929e17ef6fc575ebe2ae2327e0d461f7e0c1baf2303f79a70f62a4dcd6853

/data/data/com.foster.grief/app_DynamicOptDex/oat/FTJZ.json.cur.prof

MD5 3a05afad8f1e9483cc13fcb9d13a9cf9
SHA1 97000285511d85f5662ef707215e437fdae0e09d
SHA256 6416e8f6d6634eb07fa49d6aebd2651e8116d7dd5789c584baad18010b0438f9
SHA512 161cc6ec4da08dabaaafbf3f173c08c70f080ab3005e7a0169c11375d6dc2150ff173e1dc91a1a12c1e7229ea10bafbd72b7d7ca5104a4fe2908fbb69c876089

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-14 22:10

Reported

2024-12-14 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

37s

Max time network

150s

Command Line

com.foster.grief

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.foster.grief

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 195.179.237.77:443 freeiconshop.com tcp
US 104.21.33.28:443 pngimage.net tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 216.239.36.223:443 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
US 5.78.71.159:80 5.78.71.159 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp

Files

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 a9b945418a5ca87d1afc41c4b1a69173
SHA1 9a5b6c904ad4bd6c8f3575e1143989af759bf84f
SHA256 2f4d4c0d219c339f0ced2b3cadad3ea5e0660fd768a03e1eec5c378690595593
SHA512 4e3ebea2264c3c2448cb96931575e0202213e35f4e589f951ac2b06f90f0196b5958ec06a3402c2099ccee55964d38357682130b51353d0e4d10548c5794e292

/data/data/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 37bb4840349f61aadb719dcd37d80f36
SHA1 beba50a58157dace010b36b2670e23ed2eed8363
SHA256 6f7ae0980724939f70cd370d72bb519f284e9dc0a99cf84a724f320580d47281
SHA512 a75c7cfc67d26a27efc88ceddafef487ea1c40a742c1c0efc046f7efc735826fcb738178de46f088d9464537ca94a796516746620e47ce2ba5aa1648b19c039e

/data/user/0/com.foster.grief/app_DynamicOptDex/FTJZ.json

MD5 49066cdefd54aeb385ffe98aac837787
SHA1 03e3e6e2049c4c3f3416e552f859fc8e6dd08ade
SHA256 066f88a10f433fec31050908bec2d9a1d5810240238e1e8a3571969e7c495e97
SHA512 86a2a7d17a61bac794348dca5ce7734c499cbf81a4918b1f9af619e196070e84c34929e17ef6fc575ebe2ae2327e0d461f7e0c1baf2303f79a70f62a4dcd6853