Malware Analysis Report

2025-01-19 05:13

Sample ID 241219-1wm2da1khy
Target 385c92b0c4f5af85151eaed41bf8d11bf726921e7a4a36fbfc2c9aad45addba3.bin
SHA256 385c92b0c4f5af85151eaed41bf8d11bf726921e7a4a36fbfc2c9aad45addba3
Tags
cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

385c92b0c4f5af85151eaed41bf8d11bf726921e7a4a36fbfc2c9aad45addba3

Threat Level: Known bad

The file 385c92b0c4f5af85151eaed41bf8d11bf726921e7a4a36fbfc2c9aad45addba3.bin was found to be: Known bad.

Malicious Activity Summary

cerberus banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan privilege_escalation

Cerberus

Cerberus family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Tries to add a device administrator.

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 22:00

Reported

2024-12-19 22:02

Platform

android-x86-arm-20240624-en

Max time kernel

140s

Max time network

150s

Command Line

com.swing.often

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json N/A N/A
N/A /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.swing.often

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swing.often/app_DynamicOptDex/oat/x86/NQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/data/com.swing.often/app_DynamicOptDex/NQ.json

MD5 ec322e38c43afd6e408508b97f43aef2
SHA1 adadb7ad49531cbfd3f3531cfec875f81905b89b
SHA256 267027e868b821518ba2ffc000d424ce76e9e28b0b81e40da3d697328c02622d
SHA512 e6a5b8dc8ae9de235c0e3b3cca6af059d9c1bc1056e15510658c5679aa49f5e133e46a92bf042f2284eaceea6d800bef49d5bab505adc8b03f1e1ae6de5f570b

/data/data/com.swing.often/app_DynamicOptDex/NQ.json

MD5 91e08fbc47e803f3f5bd2e0d39e8f167
SHA1 cfea44c91ea7ad6d866aa21e7412cfbd00873fa0
SHA256 8381d8eed74280e8cd5a6e6808963c17228729bc1d04353898d05e9815555d40
SHA512 b23155758dbc7df8ab5b0d1bab2439672f20da15129419bd2cd432b89d9b527b0cc03fdca6c1e04d3ac9495df4fffe7c9b8586bef311a98cbad08d1369710122

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 9dfa580aa93694ae97b83ecb5cfa9ff5
SHA1 b17c51cbd1dad8b069e2ac3adab7fccfd6bd624f
SHA256 caaa953fc8d5eb5d2cbac6e280ed76c7e3ddaa2f0f4eb2ed5e7d58b7b7015ddf
SHA512 22c51103d9bdf7997ccb6557c92613f431b9c643a1825d4264fd4767a0f1f8e66b8f2719ccbcda1bf5aae2c9448729212e722b6d9091a4f1c7eb6cb6bdb034fb

/data/data/com.swing.often/app_DynamicOptDex/oat/NQ.json.cur.prof

MD5 75cb30c10c2ae1c0add1099eaf933374
SHA1 598065266fe843c403536736872c2f125225a6d9
SHA256 7bcc1cb915be55d76fb1f1b44bf3f50df7314136d48597c3f1ad9cba10f76760
SHA512 16b495d82655b9aeffa1a9d253e50c006284b5033066c2fcda096f7db2bd58874fa5ab5b298f9e4f54375775b5bd695897235dfd1a6dd2ff94a980d7edb20776

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-19 22:00

Reported

2024-12-19 22:02

Platform

android-x64-20240624-en

Max time kernel

79s

Max time network

158s

Command Line

com.swing.often

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.swing.often

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/data/com.swing.often/app_DynamicOptDex/NQ.json

MD5 ec322e38c43afd6e408508b97f43aef2
SHA1 adadb7ad49531cbfd3f3531cfec875f81905b89b
SHA256 267027e868b821518ba2ffc000d424ce76e9e28b0b81e40da3d697328c02622d
SHA512 e6a5b8dc8ae9de235c0e3b3cca6af059d9c1bc1056e15510658c5679aa49f5e133e46a92bf042f2284eaceea6d800bef49d5bab505adc8b03f1e1ae6de5f570b

/data/data/com.swing.often/app_DynamicOptDex/NQ.json

MD5 91e08fbc47e803f3f5bd2e0d39e8f167
SHA1 cfea44c91ea7ad6d866aa21e7412cfbd00873fa0
SHA256 8381d8eed74280e8cd5a6e6808963c17228729bc1d04353898d05e9815555d40
SHA512 b23155758dbc7df8ab5b0d1bab2439672f20da15129419bd2cd432b89d9b527b0cc03fdca6c1e04d3ac9495df4fffe7c9b8586bef311a98cbad08d1369710122

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/data/com.swing.often/app_DynamicOptDex/oat/NQ.json.cur.prof

MD5 b3c3883e9b48bcc97e59ca7ef782657f
SHA1 9be29fded298ffc58f83b234e131426294934043
SHA256 2e196fef34438d9629da5b64c12027eddaed304554a70e4b4134ec96f120df2a
SHA512 9f8e68405b92a08be4c2d6877e5862fb88f6f5f57c9ce64c4e70b49db15afe907423e8c050f1a7ae981ded1f5a30ea9ceffd95021ccb120a636438881ece92f7

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-19 22:00

Reported

2024-12-19 22:02

Platform

android-x64-arm64-20240624-en

Max time kernel

70s

Max time network

146s

Command Line

com.swing.often

Signatures

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json] N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.swing.often/app_DynamicOptDex/NQ.json] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.swing.often

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 94.250.253.26:80 94.250.253.26 tcp
RU 94.250.253.26:80 94.250.253.26 tcp

Files

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 ec322e38c43afd6e408508b97f43aef2
SHA1 adadb7ad49531cbfd3f3531cfec875f81905b89b
SHA256 267027e868b821518ba2ffc000d424ce76e9e28b0b81e40da3d697328c02622d
SHA512 e6a5b8dc8ae9de235c0e3b3cca6af059d9c1bc1056e15510658c5679aa49f5e133e46a92bf042f2284eaceea6d800bef49d5bab505adc8b03f1e1ae6de5f570b

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 91e08fbc47e803f3f5bd2e0d39e8f167
SHA1 cfea44c91ea7ad6d866aa21e7412cfbd00873fa0
SHA256 8381d8eed74280e8cd5a6e6808963c17228729bc1d04353898d05e9815555d40
SHA512 b23155758dbc7df8ab5b0d1bab2439672f20da15129419bd2cd432b89d9b527b0cc03fdca6c1e04d3ac9495df4fffe7c9b8586bef311a98cbad08d1369710122

/data/user/0/com.swing.often/app_DynamicOptDex/NQ.json

MD5 fbfec32963eec74794d898179aee8b56
SHA1 cc98bdf6e6fc12d7fb8ec6caf36d7b0cb35f7ca6
SHA256 d15f4935437ed4422d98c2c68a1d352a781300349596adba217d9b2b94e2eca9
SHA512 f846a87654034a0e00044859e354598e244d4d52c0af1bc9240b143c566919c0aa108baaeb9bf24e8c030f973b1202c417e82d72db7b0b045ba2371fdc5c1bfe

/data/user/0/com.swing.often/app_DynamicOptDex/oat/NQ.json.cur.prof

MD5 500d3f1e197921b0435bc18ca45433a2
SHA1 71f0575f6f6b88864a69de401fbfe4350a01493c
SHA256 cce67a5a6b277356e9a215774d066fdee32a61ad12636ae5b51f19b929dde448
SHA512 e2847e235da2f3911865368b7b09d3b34d62d8c7ce1e6a2c1fc062d53c30a51c90b6d6e9ed3ea0680694b06d2384798acf2972c5d7c68583c62f8da90c10f6bf