Malware Analysis Report

2025-01-19 05:12

Sample ID 241215-1ylaka1jgl
Target b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.bin
SHA256 b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6

Threat Level: Known bad

The file b4b4ece945c624bc320176b247f00738b3cc9303ec18e4b6e0c3c615a2b258e6.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus

Cerberus family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-15 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-15 22:03

Reported

2024-12-15 22:06

Platform

android-x86-arm-20240910-en

Max time kernel

102s

Max time network

154s

Command Line

com.there.card

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.there.card/app_DynamicOptDex/wQ.json N/A N/A
N/A /data/user/0/com.there.card/app_DynamicOptDex/wQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.there.card

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.there.card/app_DynamicOptDex/wQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.there.card/app_DynamicOptDex/oat/x86/wQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp

Files

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 75d5e85114c1ca8533e15bb5c9bd4175
SHA1 10da87a3491ba81566a1320190c6efb99ed38943
SHA256 c894fbcf00c3dd6770abb86f1d7bbc99abe4a0d1876ab83dedaf3293da2d6689
SHA512 234c423a1c8a1bf15c5467a994c36c615926dc0544a4c4f36272d08a1acf65e0957759619891c24d61cc1f135488ed78586f7b82b44d0f6a2ca48daa5c26abdf

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 1bc426827e019506183381ccfc4258fe
SHA1 46469ee86390ae1a8c98f1632b1d8ed18ec7dfa3
SHA256 99dd7a16a996a9808c9dc7f029f53212fc89f84b89ecf4fd285850964f51834d
SHA512 26808747316116f411a530b03985303d582975a688e5589f3603d8c09ba56ba88e4374c94126051f5bdb27463de062afe10feb1718b18255a6052cb270ff344c

/data/user/0/com.there.card/app_DynamicOptDex/wQ.json

MD5 bfce3902d48e51fee4361e9aaa0a659b
SHA1 e45ab73b51b6cd31901e6fa197a11afefdd1ea06
SHA256 80dae8f525c99dae8513432657450a8680dad67c710d9417e6d5bc93694c13fa
SHA512 8dbad75298c4746856166a3a6f5bf6e5e1f87883823e91c1904fec8a94afb81b53b05e3fea020712535f35f4d3a10b2e78cba4658d7dd8923dead33f7ef4d68f

/data/user/0/com.there.card/app_DynamicOptDex/wQ.json

MD5 5d5fd9c8177b65f1ec43539d5eaa4f8b
SHA1 f882c2ac6fa63bf33efef1c12da65003480e5d91
SHA256 421bf307dd4b7b98efcbac68e864a6e5b1bec6bac84912257c79fc877c0782bc
SHA512 95dde2d6f3d988e1a2b4f7a3c4b14131ffc1ad1c4ff0db05af76a2096934692dfd9663c7913e9058df1f0c217f736f16ae1e4eebeca92b49de110c191607edfe

/data/data/com.there.card/app_DynamicOptDex/oat/wQ.json.cur.prof

MD5 e03009440d7d06066cc6daf14e8a0459
SHA1 a4f2de175cf4d31216e676f65774cc32485897ea
SHA256 52854c002488e5e9c625a237ce4a0af23d471c6ca5ae5f497e46313c0bb23117
SHA512 5fd9843bf0b119bd79cdd0f1c214a22ce885cabb7d81e844a753074ba1922aab66663b427e324c4a107dcc97949000b14392ad75adb2d4362d0abc71d48445bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-15 22:03

Reported

2024-12-15 22:06

Platform

android-x64-20240910-en

Max time kernel

28s

Max time network

152s

Command Line

com.there.card

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.there.card/app_DynamicOptDex/wQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.there.card

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pngimage.net udp
US 1.1.1.1:53 freeiconshop.com udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 216.58.201.98:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp

Files

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 75d5e85114c1ca8533e15bb5c9bd4175
SHA1 10da87a3491ba81566a1320190c6efb99ed38943
SHA256 c894fbcf00c3dd6770abb86f1d7bbc99abe4a0d1876ab83dedaf3293da2d6689
SHA512 234c423a1c8a1bf15c5467a994c36c615926dc0544a4c4f36272d08a1acf65e0957759619891c24d61cc1f135488ed78586f7b82b44d0f6a2ca48daa5c26abdf

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 1bc426827e019506183381ccfc4258fe
SHA1 46469ee86390ae1a8c98f1632b1d8ed18ec7dfa3
SHA256 99dd7a16a996a9808c9dc7f029f53212fc89f84b89ecf4fd285850964f51834d
SHA512 26808747316116f411a530b03985303d582975a688e5589f3603d8c09ba56ba88e4374c94126051f5bdb27463de062afe10feb1718b18255a6052cb270ff344c

/data/user/0/com.there.card/app_DynamicOptDex/wQ.json

MD5 bfce3902d48e51fee4361e9aaa0a659b
SHA1 e45ab73b51b6cd31901e6fa197a11afefdd1ea06
SHA256 80dae8f525c99dae8513432657450a8680dad67c710d9417e6d5bc93694c13fa
SHA512 8dbad75298c4746856166a3a6f5bf6e5e1f87883823e91c1904fec8a94afb81b53b05e3fea020712535f35f4d3a10b2e78cba4658d7dd8923dead33f7ef4d68f

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-15 22:03

Reported

2024-12-15 22:06

Platform

android-x64-arm64-20240910-en

Max time kernel

55s

Max time network

159s

Command Line

com.there.card

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.there.card/app_DynamicOptDex/wQ.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.there.card/app_DynamicOptDex/wQ.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.there.card/app_DynamicOptDex/wQ.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.there.card

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 android.apis.google.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 195.179.237.77:443 freeiconshop.com tcp
US 104.21.33.28:443 pngimage.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
GB 142.250.178.1:443 tcp
US 216.239.32.223:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp

Files

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 75d5e85114c1ca8533e15bb5c9bd4175
SHA1 10da87a3491ba81566a1320190c6efb99ed38943
SHA256 c894fbcf00c3dd6770abb86f1d7bbc99abe4a0d1876ab83dedaf3293da2d6689
SHA512 234c423a1c8a1bf15c5467a994c36c615926dc0544a4c4f36272d08a1acf65e0957759619891c24d61cc1f135488ed78586f7b82b44d0f6a2ca48daa5c26abdf

/data/data/com.there.card/app_DynamicOptDex/wQ.json

MD5 1bc426827e019506183381ccfc4258fe
SHA1 46469ee86390ae1a8c98f1632b1d8ed18ec7dfa3
SHA256 99dd7a16a996a9808c9dc7f029f53212fc89f84b89ecf4fd285850964f51834d
SHA512 26808747316116f411a530b03985303d582975a688e5589f3603d8c09ba56ba88e4374c94126051f5bdb27463de062afe10feb1718b18255a6052cb270ff344c

/data/user/0/com.there.card/app_DynamicOptDex/wQ.json

MD5 bfce3902d48e51fee4361e9aaa0a659b
SHA1 e45ab73b51b6cd31901e6fa197a11afefdd1ea06
SHA256 80dae8f525c99dae8513432657450a8680dad67c710d9417e6d5bc93694c13fa
SHA512 8dbad75298c4746856166a3a6f5bf6e5e1f87883823e91c1904fec8a94afb81b53b05e3fea020712535f35f4d3a10b2e78cba4658d7dd8923dead33f7ef4d68f

/data/data/com.there.card/app_DynamicOptDex/oat/wQ.json.cur.prof

MD5 b9a110229d5b2b81cd3e86f3ab02624d
SHA1 5e0f706fb7173200ca8999382cef813cf80171f0
SHA256 07818f40ea22390982ba6d388c959779dc28c475ccd1d1f13e22fd1bd0082e7d
SHA512 10463a4d9f01b4988000a520e86c7380b7bdfe675887b6c62ae11a1fd1a130a18b309ca436e4dba92baafa61dca6c6ee888df28bca7e35e45ed12e03a8658d7a