Malware Analysis Report

2024-10-19 11:56

Sample ID 231018-1wy4msdb54
Target 1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c.bin
SHA256 1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c

Threat Level: Known bad

The file 1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus

Cerberus payload

Alienbot

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Acquires the wake lock.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-18 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Max time network

155s

Command Line

[/tmp/libvctfo.so]

Signatures

N/A

Processes

/tmp/libvctfo.so

[/tmp/libvctfo.so]

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

157s

Command Line

[/tmp/libvideodec.so]

Signatures

N/A

Processes

/tmp/libvideodec.so

[/tmp/libvideodec.so]

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win10v2004-20230915-en

Max time kernel

128s

Max time network

171s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

1154539s

Max time network

132s

Command Line

com.output.wire

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/ew.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/ew.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.output.wire

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/XmDYKd.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/jLt.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/ew.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/ew.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.202:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.132.18:443 jsonplaceholder.typicode.com tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 1natetboxs.net udp
NL 172.217.168.234:443 tcp

Files

/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 6bf5caabcea2e2e99a6e5c21b571ee35
SHA1 77899e8ac21086e858a6f915df57c81bb656e0b2
SHA256 670914c371cf2e93beacfcb3ea916abcd9e77afad25b58688d5f900edd526ccf
SHA512 1985f909ce67b9e25f026882c4f9b41db83a0593c28ece25b09dc0c88242025ba42542c97b98e5f89c1599b22a24343998456f33da6539161e15c54f51a159cc

/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 31ac26d3e93777069e81c1b815d101e6
SHA1 281c7a4cd841524cc2b7ed36e9360221ae10b5f2
SHA256 24082ad848d129a254a7d6c57a001b9f422c158c17e89177f38c0acaf1ac9467
SHA512 2510806924bf256a84486f9eb8e59da244c6bee3371f260b4c4ef6b916905c5066d8e8a722af04e2d9890591b22aa40e50bf31b6ee21a0627636589c4f49a63e

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 d2a45c292d1a779f5dabc99ab3a82d86
SHA1 aadeacbbdf3442a5302c4b5fd5b3e5f497ae6cbd
SHA256 91486de8521dffb38a2c4d5aee3825a96353908844888ed960a2eef0cd091151
SHA512 589a20e9cb4f62ced331ab9b254bb588f45f065f7ad3fe6dd744d8941355414c25e01c6d0553c322a978834e76e1ea6ae6513d1f3720bfe1b84764a06ef7f696

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 1d845cb75b2f0c369b48e5f92897e5d3
SHA1 10095c7dd2e8dccd6bf34e37ccc8902042898fa0
SHA256 b2eb7d54017f49ca6f237a8af7360f2c16a1ef7f4fd368c059c7a96d6c4bcdf0
SHA512 0f50f99a05fb8d7438b700fdbcc17b7ed7acf0cce8610aa014b1ca7677758e86afe522fca229212d82e980edb16b1974d5533288b61870a33b0e8c99b9cdb8f2

/data/data/com.output.wire/app_DynamicOptDex/jLt.json

MD5 f33183f44b80a2ac99040ad10f42b185
SHA1 377e5311d5462cdb67551184bd0decad3ffa6edd
SHA256 e5e744b4d1e581493f3f07276876220c36728947af609d3a7580f3c009237d9e
SHA512 82d150f1ed88e883bf5b1268a884e0e567db1e4a5bd64f5548c8cdaddbeaf79d228d17c928bf08798312ccd32547775389b236c593816d5f318437062ee4c083

/data/data/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ae3b0f42d632355096cd56a7978f840d
SHA1 75f3795c16e4e271481fa15e703b04e867f39692
SHA256 46e24bc9e5da5f97a69a66e9fbda41cf21915b65dfe930498fe4be4c987f85be
SHA512 39b0c67670c9171ca9bc9bb82ca44e7a8a477028339c256fd78ee76a1c1c487f47e3976b3a87d4f89c6c0a368037d5016ba8176b05a84ace54024acdcc0c70c0

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ed517e296f714db16d731b7fb66c14e3
SHA1 ae63d13d173528b46b3cfeb1401945f0a4f14070
SHA256 8c2a958f337d0a579ed87c04caa0c1cea109ad82a3147a17418c1d2692998330
SHA512 7277ba34c180a8b5ecc814e489cd161deef748d853069f22fbe1c7e2c544cb156993682a95068059b5f06dab056dbbc79b3161724a674954097b8c3bf36a589e

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 e8f52b3c7545954e80b87a9726743dbd
SHA1 afe047b51f689a5a0e9de2a0029f8a0f5b9efc91
SHA256 b51786e133b4ee9d067f8164578ff45bbe43c549afe2fed93f28e3cfca760105
SHA512 510117f9ede1e1b6b3b4965640f084cb66506e23728cf38ce3a6c5feabbb3a4bcebcd574bee349229f33837319da77fa5f89cd2a47264e56d0b1d804d838f380

/data/data/com.output.wire/app_DynamicOptDex/ew.json

MD5 3a366da7beaba55d7295006e81f80fd9
SHA1 b3d49bf8e979ca8e56b4aa60ddc600ad89d9c4b9
SHA256 1bf6a39e590a3e109f44e1f9b86140aa6ca41c7fc143d727e286a2dad11871a4
SHA512 ad0d2dd1d50da72d07a48fe1d8c6f1b6bac21dae48baa95d6b745ad390d7a9dd1edafd7f24bb30452c004988954321d0c41a5bb4fa7cb8ea0d0976a92ba94cf9

/data/data/com.output.wire/app_DynamicOptDex/ew.json

MD5 6720cfcc736604ed53e89af3070000d9
SHA1 91b6c47de72b53e1f09ec8d6d128f0b3b5ca53eb
SHA256 f44926c4fe4678a46bf5eb9a9c49d241a3a3afdc2eb0b0a751d9edbd646604ef
SHA512 bbf7180ab7c07e791818e26342e7a83c64c546273f341a605fd3481fc3deba62c2829f2708f75574a619419c2a5d3696e676d9c593b75143e36346f095188918

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 222cdbf22262802bb051311acd7c5c84
SHA1 f40bcece274334cf24a2334eb3a6cae88e8f656a
SHA256 99cb75cda7b01bbdc8856ea44890d53aeb00a3684ed1986805ff6061ca8590d8
SHA512 789e4cc7a8a7a60e96d34f2fbb288c09f03db3a558916b966ec13bdb09474e22b3aa3f13cb6e45fa7ecefdfdf19d40b4d8054cdaa1382fb6d990498520a89baa

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 9c14bc1e51b4748ecbe38d5b5c3138c7
SHA1 e2a923f60b7fe0adb2c32c293e86a7ccc5db8bed
SHA256 48cb2168bded67e7948c8001ae5a5b22e465fef16c63c52966a12eb47a3f2226
SHA512 58fdef8a033a82175837fac77b883f294d03749a3c7dd679e8e5947558bd21f33fa383e5cce9706c63663034cc9d036bc875be77db986e98e4abf9d37bde3e66

/data/data/com.output.wire/app_DynamicOptDex/oat/XmDYKd.json.cur.prof

MD5 23790d6ef41331ffb6673f0ce78a73b0
SHA1 6f0426bcbaa21a4d20012d88898bab6f9ff1e812
SHA256 4a744fa9fcbd998b1a37a7daf1d804e7630db0467935ee25ca24aaebac03fecd
SHA512 8d680e82710db8024ede93efbc2995492495d8609bea77ea81460bd36158d8300324f345cd54ca713fa13713c9d9b191e86690565eab0dca896bf38d3456e765

/data/data/com.output.wire/app_DynamicOptDex/oat/ew.json.cur.prof

MD5 587fdda39eee03abd0bd94efd161302e
SHA1 e0f46d00b7cde0a0ce04908ea100a28ba7685e98
SHA256 3d67a353dd0ef3e4c7a50823311716bd5c5e67cd02f7916b12eb31449b33ee99
SHA512 f75f6b2ae96449b97a247593becbae48cedb936b8de22e448224842162471cd66631db8d459d2e2cdfa2970c3504e186a0f08c082c606c50ea1bf5882e043127

/data/data/com.output.wire/app_DynamicOptDex/oat/jLt.json.cur.prof

MD5 5652018eb7a18f2e38bf965b392a505f
SHA1 6914cd9cf73f380391260a0763ae5dda0ff25589
SHA256 4a2b7f2089261ce4a98229ec05c1d6d33e12cf7991b903d3fd6f64ad9cdf11d6
SHA512 1f2b119e6330a7fc836c1a1bb57428142db88f3086b5e1fb8138da486edeb6ecc09069bc4fe339e6efbe735bd9a53d65f985e859c742e64bbe7243581e55fd95

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

1154538s

Max time network

139s

Command Line

com.output.wire

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/ew.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.output.wire

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.250.179.202:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
NL 142.251.36.46:443 tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 1natetboxs.net udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 1natetboxs.net udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
NL 142.250.179.173:443 accounts.google.com tcp
US 1.1.1.1:53 hmtanlmsmhljst udp
US 1.1.1.1:53 ttbwmfeerzzmhk udp
US 1.1.1.1:53 hmxtudiwtn udp
US 1.1.1.1:53 hmxtudiwtn udp
US 1.1.1.1:53 hmtanlmsmhljst udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.251.36.3:443 update.googleapis.com tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp

Files

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 6bf5caabcea2e2e99a6e5c21b571ee35
SHA1 77899e8ac21086e858a6f915df57c81bb656e0b2
SHA256 670914c371cf2e93beacfcb3ea916abcd9e77afad25b58688d5f900edd526ccf
SHA512 1985f909ce67b9e25f026882c4f9b41db83a0593c28ece25b09dc0c88242025ba42542c97b98e5f89c1599b22a24343998456f33da6539161e15c54f51a159cc

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 31ac26d3e93777069e81c1b815d101e6
SHA1 281c7a4cd841524cc2b7ed36e9360221ae10b5f2
SHA256 24082ad848d129a254a7d6c57a001b9f422c158c17e89177f38c0acaf1ac9467
SHA512 2510806924bf256a84486f9eb8e59da244c6bee3371f260b4c4ef6b916905c5066d8e8a722af04e2d9890591b22aa40e50bf31b6ee21a0627636589c4f49a63e

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 d2a45c292d1a779f5dabc99ab3a82d86
SHA1 aadeacbbdf3442a5302c4b5fd5b3e5f497ae6cbd
SHA256 91486de8521dffb38a2c4d5aee3825a96353908844888ed960a2eef0cd091151
SHA512 589a20e9cb4f62ced331ab9b254bb588f45f065f7ad3fe6dd744d8941355414c25e01c6d0553c322a978834e76e1ea6ae6513d1f3720bfe1b84764a06ef7f696

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 f33183f44b80a2ac99040ad10f42b185
SHA1 377e5311d5462cdb67551184bd0decad3ffa6edd
SHA256 e5e744b4d1e581493f3f07276876220c36728947af609d3a7580f3c009237d9e
SHA512 82d150f1ed88e883bf5b1268a884e0e567db1e4a5bd64f5548c8cdaddbeaf79d228d17c928bf08798312ccd32547775389b236c593816d5f318437062ee4c083

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ae3b0f42d632355096cd56a7978f840d
SHA1 75f3795c16e4e271481fa15e703b04e867f39692
SHA256 46e24bc9e5da5f97a69a66e9fbda41cf21915b65dfe930498fe4be4c987f85be
SHA512 39b0c67670c9171ca9bc9bb82ca44e7a8a477028339c256fd78ee76a1c1c487f47e3976b3a87d4f89c6c0a368037d5016ba8176b05a84ace54024acdcc0c70c0

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ed517e296f714db16d731b7fb66c14e3
SHA1 ae63d13d173528b46b3cfeb1401945f0a4f14070
SHA256 8c2a958f337d0a579ed87c04caa0c1cea109ad82a3147a17418c1d2692998330
SHA512 7277ba34c180a8b5ecc814e489cd161deef748d853069f22fbe1c7e2c544cb156993682a95068059b5f06dab056dbbc79b3161724a674954097b8c3bf36a589e

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 3a366da7beaba55d7295006e81f80fd9
SHA1 b3d49bf8e979ca8e56b4aa60ddc600ad89d9c4b9
SHA256 1bf6a39e590a3e109f44e1f9b86140aa6ca41c7fc143d727e286a2dad11871a4
SHA512 ad0d2dd1d50da72d07a48fe1d8c6f1b6bac21dae48baa95d6b745ad390d7a9dd1edafd7f24bb30452c004988954321d0c41a5bb4fa7cb8ea0d0976a92ba94cf9

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 6720cfcc736604ed53e89af3070000d9
SHA1 91b6c47de72b53e1f09ec8d6d128f0b3b5ca53eb
SHA256 f44926c4fe4678a46bf5eb9a9c49d241a3a3afdc2eb0b0a751d9edbd646604ef
SHA512 bbf7180ab7c07e791818e26342e7a83c64c546273f341a605fd3481fc3deba62c2829f2708f75574a619419c2a5d3696e676d9c593b75143e36346f095188918

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 222cdbf22262802bb051311acd7c5c84
SHA1 f40bcece274334cf24a2334eb3a6cae88e8f656a
SHA256 99cb75cda7b01bbdc8856ea44890d53aeb00a3684ed1986805ff6061ca8590d8
SHA512 789e4cc7a8a7a60e96d34f2fbb288c09f03db3a558916b966ec13bdb09474e22b3aa3f13cb6e45fa7ecefdfdf19d40b4d8054cdaa1382fb6d990498520a89baa

/data/user/0/com.output.wire/app_DynamicOptDex/oat/XmDYKd.json.cur.prof

MD5 52bb717dc33443ccd72b98f55dc113b0
SHA1 b501a75a2729a8ff0060b3c7062d12c94650c4a4
SHA256 90cc2f9ad8c90c53cb30c95a7d952085921eddb52e80df7ad0027aad9916518a
SHA512 14a2ae2c62dce7f248aedb780c05f7ca3897c33128d56dcab5931664e5544d61f603d02bc239079df0a34b03e1f491d4ba47508cf45d44e59eb5ae4b04ba9669

/data/user/0/com.output.wire/app_DynamicOptDex/oat/ew.json.cur.prof

MD5 f638b54470f03787547ba9125e634a19
SHA1 7a18be4f805f3658d2b6aa087bfdcfea8864f73d
SHA256 07890a916a422f75bb5c6b9b3c33d22d76c81c9f8d18578b01caf3775c82b793
SHA512 249c932914f59a15e0a57c5aedd2475c51dc55c165a177b36452657c7c5baf6421cc387c7a7b690c359a584b9f8a726d290fd5f68c0aacbf09cb007ef6b9956c

/data/user/0/com.output.wire/app_DynamicOptDex/oat/jLt.json.cur.prof

MD5 a8735e8a4daffe5fb6f80815c4df0d62
SHA1 6a2305e6d41784c975b4303ff956d0b698eb0cdf
SHA256 219eaa900f0238da5596ed23e978fc8d043b133159e4e0274792f756e65570ec
SHA512 5b9d9bf884bc17273d6895994fd7df658aeb8f5410830f44c43aa238a18e464556a3484bc5cd6e7847f1704d0a9ee923ed1c4f700f0a173b885c749bf0e46767

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:05

Platform

win7-20230831-en

Max time kernel

120s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\chartjs-plugin-zoom.min.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win7-20230831-en

Max time kernel

122s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Max time network

127s

Command Line

[/tmp/libxz-main.so]

Signatures

N/A

Processes

/tmp/libxz-main.so

[/tmp/libxz-main.so]

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

154s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win7-20230831-en

Max time kernel

118s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

android-x64-20230831-en

Max time kernel

1154530s

Max time network

133s

Command Line

com.output.wire

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json N/A N/A
N/A /data/user/0/com.output.wire/app_DynamicOptDex/ew.json N/A N/A

Processes

com.output.wire

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.132.18:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 1natetboxs.net udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 1natetboxs.net udp
US 1.1.1.1:53 1natetboxs.net udp
US 1.1.1.1:53 1natetboxs.net udp
NL 142.251.39.100:443 tcp
NL 142.250.179.142:443 android.apis.google.com tcp

Files

/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 6bf5caabcea2e2e99a6e5c21b571ee35
SHA1 77899e8ac21086e858a6f915df57c81bb656e0b2
SHA256 670914c371cf2e93beacfcb3ea916abcd9e77afad25b58688d5f900edd526ccf
SHA512 1985f909ce67b9e25f026882c4f9b41db83a0593c28ece25b09dc0c88242025ba42542c97b98e5f89c1599b22a24343998456f33da6539161e15c54f51a159cc

/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 31ac26d3e93777069e81c1b815d101e6
SHA1 281c7a4cd841524cc2b7ed36e9360221ae10b5f2
SHA256 24082ad848d129a254a7d6c57a001b9f422c158c17e89177f38c0acaf1ac9467
SHA512 2510806924bf256a84486f9eb8e59da244c6bee3371f260b4c4ef6b916905c5066d8e8a722af04e2d9890591b22aa40e50bf31b6ee21a0627636589c4f49a63e

/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

MD5 d2a45c292d1a779f5dabc99ab3a82d86
SHA1 aadeacbbdf3442a5302c4b5fd5b3e5f497ae6cbd
SHA256 91486de8521dffb38a2c4d5aee3825a96353908844888ed960a2eef0cd091151
SHA512 589a20e9cb4f62ced331ab9b254bb588f45f065f7ad3fe6dd744d8941355414c25e01c6d0553c322a978834e76e1ea6ae6513d1f3720bfe1b84764a06ef7f696

/data/data/com.output.wire/app_DynamicOptDex/jLt.json

MD5 f33183f44b80a2ac99040ad10f42b185
SHA1 377e5311d5462cdb67551184bd0decad3ffa6edd
SHA256 e5e744b4d1e581493f3f07276876220c36728947af609d3a7580f3c009237d9e
SHA512 82d150f1ed88e883bf5b1268a884e0e567db1e4a5bd64f5548c8cdaddbeaf79d228d17c928bf08798312ccd32547775389b236c593816d5f318437062ee4c083

/data/data/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ae3b0f42d632355096cd56a7978f840d
SHA1 75f3795c16e4e271481fa15e703b04e867f39692
SHA256 46e24bc9e5da5f97a69a66e9fbda41cf21915b65dfe930498fe4be4c987f85be
SHA512 39b0c67670c9171ca9bc9bb82ca44e7a8a477028339c256fd78ee76a1c1c487f47e3976b3a87d4f89c6c0a368037d5016ba8176b05a84ace54024acdcc0c70c0

/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

MD5 ed517e296f714db16d731b7fb66c14e3
SHA1 ae63d13d173528b46b3cfeb1401945f0a4f14070
SHA256 8c2a958f337d0a579ed87c04caa0c1cea109ad82a3147a17418c1d2692998330
SHA512 7277ba34c180a8b5ecc814e489cd161deef748d853069f22fbe1c7e2c544cb156993682a95068059b5f06dab056dbbc79b3161724a674954097b8c3bf36a589e

/data/data/com.output.wire/app_DynamicOptDex/ew.json

MD5 3a366da7beaba55d7295006e81f80fd9
SHA1 b3d49bf8e979ca8e56b4aa60ddc600ad89d9c4b9
SHA256 1bf6a39e590a3e109f44e1f9b86140aa6ca41c7fc143d727e286a2dad11871a4
SHA512 ad0d2dd1d50da72d07a48fe1d8c6f1b6bac21dae48baa95d6b745ad390d7a9dd1edafd7f24bb30452c004988954321d0c41a5bb4fa7cb8ea0d0976a92ba94cf9

/data/data/com.output.wire/app_DynamicOptDex/ew.json

MD5 6720cfcc736604ed53e89af3070000d9
SHA1 91b6c47de72b53e1f09ec8d6d128f0b3b5ca53eb
SHA256 f44926c4fe4678a46bf5eb9a9c49d241a3a3afdc2eb0b0a751d9edbd646604ef
SHA512 bbf7180ab7c07e791818e26342e7a83c64c546273f341a605fd3481fc3deba62c2829f2708f75574a619419c2a5d3696e676d9c593b75143e36346f095188918

/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

MD5 222cdbf22262802bb051311acd7c5c84
SHA1 f40bcece274334cf24a2334eb3a6cae88e8f656a
SHA256 99cb75cda7b01bbdc8856ea44890d53aeb00a3684ed1986805ff6061ca8590d8
SHA512 789e4cc7a8a7a60e96d34f2fbb288c09f03db3a558916b966ec13bdb09474e22b3aa3f13cb6e45fa7ecefdfdf19d40b4d8054cdaa1382fb6d990498520a89baa

/data/data/com.output.wire/app_DynamicOptDex/oat/XmDYKd.json.cur.prof

MD5 23790d6ef41331ffb6673f0ce78a73b0
SHA1 6f0426bcbaa21a4d20012d88898bab6f9ff1e812
SHA256 4a744fa9fcbd998b1a37a7daf1d804e7630db0467935ee25ca24aaebac03fecd
SHA512 8d680e82710db8024ede93efbc2995492495d8609bea77ea81460bd36158d8300324f345cd54ca713fa13713c9d9b191e86690565eab0dca896bf38d3456e765

/data/data/com.output.wire/app_DynamicOptDex/oat/ew.json.cur.prof

MD5 5a9bde33ae24d6c2ee9eb14c7e31fd08
SHA1 45c3b1ad1d76be47a2e72d947b27bc695c07efed
SHA256 39235f6a82ef95f38eca489adb6990f81e78f239f891bad5762f33989fd3777b
SHA512 729ecf6dc5381901f4db505015dbe8da54a1b58f8d16dd30869215b09ab918e2a814110d11e6bfb3975c3dbfdc47acda8b2be333bcfca2c8916661964855f0af

/data/data/com.output.wire/app_DynamicOptDex/oat/jLt.json.cur.prof

MD5 806790737d686923390be5675467a571
SHA1 8aa90b7d769ab7cfc616268c6179392af8dcc07b
SHA256 d6460f9f7fa2faeb8bbd6458d7cd5a114c73162c52b78c33842d8ebaf5fff482
SHA512 ed4deccecfd47ce75361b11a13b96f989b44034bf976ee0c27ebafe7f865156aff96459b0beb926767d8462aab54c8a11ad7fc19846ceab319c09e94a8fe699a

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\hammerjs.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

win7-20230831-en

Max time kernel

122s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-3.4.1.min.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

127s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

2s

Max time network

125s

Command Line

[/tmp/libapminsighta.so]

Signatures

N/A

Processes

/tmp/libapminsighta.so

[/tmp/libapminsighta.so]

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-18 22:00

Reported

2023-10-18 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

[/tmp/libvcnverify.so]

Signatures

N/A

Processes

/tmp/libvcnverify.so

[/tmp/libvcnverify.so]

Network

Files

N/A