Malware Analysis Report

2025-01-19 05:13

Sample ID 241216-2ht37ssrek
Target a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.bin
SHA256 a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21
Tags
cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21

Threat Level: Known bad

The file a882e22d1b6ea38cbe565ff252757c2f679cbe43d15b8f63bfcc5b045814bf21.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion infostealer persistence rat stealth trojan impact

Cerberus

Cerberus family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 22:35

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x86-arm-20240910-en

Max time kernel

40s

Max time network

152s

Command Line

com.kiss.lesson

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json N/A N/A
N/A /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kiss.lesson

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.kiss.lesson/app_DynamicOptDex/oat/x86/KqjBjOU.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 172.67.140.187:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 0a37ad2e4b08c779b6b5394b62558004
SHA1 d6bb04e4f3f7c5b6d63dbd88d0356bd4da4824bb
SHA256 e5e6fa459eb49deb6404f7f0ef11c44123f4ac849a69de8ec9b2aaac4bd26e5f
SHA512 c1e83ac84405868fda0b49c128992c8b7dccea3360aebf34f51fa6f7d132feae1683cbeae8eb7f105e02186744a2228b51118c9e505cc71338278c337b92d191

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 eda7acbea8ffa9aed628c9a0d5ef46f5
SHA1 6a1f31ef9050e63e2b37398600171944fd19c828
SHA256 1247066411d4cefc353508c8a324a846f0d96beff0ab63abe5452e4ae7f7b1fa
SHA512 0ce386bc52763f8f0c0b26d1d0ea21a1c8156ebd8adba941ca6635640e34891a76e96d6fa6ef748b20d66d3bb9ffa64e42ae41bf891253df0afd974eb561f3b5

/data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 2597967b27a832a4a0fae00c3bfec0c8
SHA1 964992e5b1e5858a12fe78ba0cc97e7f8c43e47d
SHA256 4bcf149f3b76df0ec62c90580633925436cd7dddf30b932c99fdedfc26bf4b32
SHA512 809eb84ffec82d59eeb6b60c9ad80e32c08a7e7b68706c8a7fe5f13063149234813f64629766c4f768cf8fe9a6bde8ead1e1fceff0a3f8bf123844cb7970a0ea

/data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 b49b9bfbbef6c79252d7889343c4c261
SHA1 3b0ab234a0346c228ad76dab764e6363fd53c094
SHA256 739e6ae135b74189598e1414a70963929613e75eb063bb4ad14e35e2d037d92a
SHA512 b2c8262a7b0aebe7c5fdc35b322598127eac8d0abfaf92ddf41622d3d3beaed94650a837b0da94ea0cd416babee7c1da7b1fb4c7c0b378f2e2b0b3a56252e5ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x64-20240624-en

Max time kernel

59s

Max time network

148s

Command Line

com.kiss.lesson

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kiss.lesson

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 195.179.237.77:443 freeiconshop.com tcp
US 104.21.33.28:443 pngimage.net tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 142.250.180.4:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 142.250.180.4:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp

Files

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 0a37ad2e4b08c779b6b5394b62558004
SHA1 d6bb04e4f3f7c5b6d63dbd88d0356bd4da4824bb
SHA256 e5e6fa459eb49deb6404f7f0ef11c44123f4ac849a69de8ec9b2aaac4bd26e5f
SHA512 c1e83ac84405868fda0b49c128992c8b7dccea3360aebf34f51fa6f7d132feae1683cbeae8eb7f105e02186744a2228b51118c9e505cc71338278c337b92d191

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 eda7acbea8ffa9aed628c9a0d5ef46f5
SHA1 6a1f31ef9050e63e2b37398600171944fd19c828
SHA256 1247066411d4cefc353508c8a324a846f0d96beff0ab63abe5452e4ae7f7b1fa
SHA512 0ce386bc52763f8f0c0b26d1d0ea21a1c8156ebd8adba941ca6635640e34891a76e96d6fa6ef748b20d66d3bb9ffa64e42ae41bf891253df0afd974eb561f3b5

/data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 2597967b27a832a4a0fae00c3bfec0c8
SHA1 964992e5b1e5858a12fe78ba0cc97e7f8c43e47d
SHA256 4bcf149f3b76df0ec62c90580633925436cd7dddf30b932c99fdedfc26bf4b32
SHA512 809eb84ffec82d59eeb6b60c9ad80e32c08a7e7b68706c8a7fe5f13063149234813f64629766c4f768cf8fe9a6bde8ead1e1fceff0a3f8bf123844cb7970a0ea

/data/data/com.kiss.lesson/app_DynamicOptDex/oat/KqjBjOU.json.cur.prof

MD5 7cb2f506fb7653876eeb66c08f1e648e
SHA1 a314c7a54fe0fbbdcb0ac363c4b3760f9690cc79
SHA256 7f9955471a77608c634a518c6cb454676bb3de898a93987465b400628f227df4
SHA512 63215e6d2d7bcb2246c62cdab48f24d5549818e61272af286331e813e167386fcba234b0b9a89372be7a4053e1a4aeba6e7b9d10ffb517bac272cacb83342e43

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x64-arm64-20240910-en

Max time kernel

38s

Max time network

151s

Command Line

com.kiss.lesson

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kiss.lesson

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 freeiconshop.com udp
US 1.1.1.1:53 pngimage.net udp
US 104.21.33.28:443 pngimage.net tcp
US 195.179.237.77:443 freeiconshop.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 216.239.32.223:443 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
US 5.161.217.34:80 5.161.217.34 tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 0a37ad2e4b08c779b6b5394b62558004
SHA1 d6bb04e4f3f7c5b6d63dbd88d0356bd4da4824bb
SHA256 e5e6fa459eb49deb6404f7f0ef11c44123f4ac849a69de8ec9b2aaac4bd26e5f
SHA512 c1e83ac84405868fda0b49c128992c8b7dccea3360aebf34f51fa6f7d132feae1683cbeae8eb7f105e02186744a2228b51118c9e505cc71338278c337b92d191

/data/data/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 eda7acbea8ffa9aed628c9a0d5ef46f5
SHA1 6a1f31ef9050e63e2b37398600171944fd19c828
SHA256 1247066411d4cefc353508c8a324a846f0d96beff0ab63abe5452e4ae7f7b1fa
SHA512 0ce386bc52763f8f0c0b26d1d0ea21a1c8156ebd8adba941ca6635640e34891a76e96d6fa6ef748b20d66d3bb9ffa64e42ae41bf891253df0afd974eb561f3b5

/data/user/0/com.kiss.lesson/app_DynamicOptDex/KqjBjOU.json

MD5 2597967b27a832a4a0fae00c3bfec0c8
SHA1 964992e5b1e5858a12fe78ba0cc97e7f8c43e47d
SHA256 4bcf149f3b76df0ec62c90580633925436cd7dddf30b932c99fdedfc26bf4b32
SHA512 809eb84ffec82d59eeb6b60c9ad80e32c08a7e7b68706c8a7fe5f13063149234813f64629766c4f768cf8fe9a6bde8ead1e1fceff0a3f8bf123844cb7970a0ea