Malware Analysis Report

2024-10-19 11:56

Sample ID 231106-1w7qsaff6w
Target 6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2.bin
SHA256 6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2

Threat Level: Known bad

The file 6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-06 22:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

6s

Max time network

8s

Command Line

[/tmp/libtraceroute-lib.so]

Signatures

N/A

Processes

/tmp/libtraceroute-lib.so

[/tmp/libtraceroute-lib.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
NL 143.244.42.32:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

5s

Max time network

9s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.2.49:443 tcp
US 151.101.65.91:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.2.49:443 cdn.fwupd.org tcp
NL 195.181.172.26:443 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libspeechengine.so]

Signatures

N/A

Processes

/tmp/libspeechengine.so

[/tmp/libspeechengine.so]

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

7s

Max time network

10s

Command Line

[/tmp/libspeechengine.so]

Signatures

N/A

Processes

/tmp/libspeechengine.so

[/tmp/libspeechengine.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 151.101.193.91:443 tcp
NL 195.181.172.27:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libnpth_dl.so]

Signatures

N/A

Processes

/tmp/libnpth_dl.so

[/tmp/libnpth_dl.so]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:08

Platform

android-x64-20231023.1-en

Max time kernel

2796423s

Max time network

150s

Command Line

com.sail.chuckle

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json N/A N/A

Processes

com.sail.chuckle

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.165.25:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
US 1.1.1.1:53 orgulama.xyz udp
US 1.1.1.1:53 orgulama.xyz udp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp

Files

/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 c7307504191c35338a1fb78c24c4c3a2
SHA1 e7603440cda762b908de3a79429203be9cf312f4
SHA256 b245f6ed1f2b14552828edbfd0a5e439e0d9e0b5ba754d180440d22886edc852
SHA512 dc761219e432b055c2bcf6ceaf5eedd002bfe9363c603e72695830614e6247d8b747b2213451bef4dbbb1127c3fae16f85abdaf9742419d68720946c85057646

/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 2b87c8db8b321c64f38d0fc3ed10188d
SHA1 8c0271853633201883c10b82378ebc1b353c01b1
SHA256 4ac244b05b34d82fd620b4f6bf197d9fec53328c6a4e76d4d3925bbc3cd429fa
SHA512 a96cf84c308595131fbc09ebb5f8c3dc4e3e1fc7afd03ecb5a360630ed13b4d6c544abc517f6e70fa6614825e45d2062a952a77764ea3b96fe4cfbaa72583762

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 5a232af22aa6875cdac8abdba9d38fe8
SHA1 5031e7c9a0b8d98b4df574b49e55c5a26f89c8a5
SHA256 beab77a17d363c5d01cd9d66c39b8105d66254ae06478d9a5aea5840c428adb3
SHA512 a52ac23d8d8c0032c754b446bfe73d16c20e58498a74dbf4bab7637ebfef9cb38c1258e701bc2140c03f2b29a68dc933d8b2e2984e17b020f6135b736109fe9c

/data/data/com.sail.chuckle/app_DynamicOptDex/oat/cX.json.cur.prof

MD5 f69cc04708fc46ae17fa78f84bdc4abe
SHA1 a724d013399e83b58ae66e5eb38cf80ca2160aef
SHA256 2bc1fe52b125a52045920db3c9d7cd55e21f68477d9f32a2243519854c06a22f
SHA512 3eab358298a7252d4486c03cd5f241763015ffe060a4da4ed0d47d2ca06f2bf4c2cc1f6df64b05686f215398cad7cbc59b3b907c9ed9bd23ce4ec3bc80987eea

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:04

Platform

win7-20231020-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\courses_video_playing.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\courses_video_playing.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libfile_lock.so]

Signatures

N/A

Processes

/tmp/libfile_lock.so

[/tmp/libfile_lock.so]

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-mipsel-20231026-en

Max time kernel

2s

Command Line

[/tmp/libnpth_logcat.so]

Signatures

N/A

Processes

/tmp/libnpth_logcat.so

[/tmp/libnpth_logcat.so]

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libspeechengine.so]

Signatures

N/A

Processes

/tmp/libspeechengine.so

[/tmp/libspeechengine.so]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-mipsel-20231026-en

Max time kernel

3s

Command Line

[/tmp/libspeechengine.so]

Signatures

N/A

Processes

/tmp/libspeechengine.so

[/tmp/libspeechengine.so]

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libtraceroute-lib.so]

Signatures

N/A

Processes

/tmp/libtraceroute-lib.so

[/tmp/libtraceroute-lib.so]

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-mipsel-20231026-en

Max time kernel

3s

Command Line

[/tmp/libfile_lock.so]

Signatures

N/A

Processes

/tmp/libfile_lock.so

[/tmp/libfile_lock.so]

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

5s

Max time network

8s

Command Line

[/tmp/libnpth_logcat.so]

Signatures

N/A

Processes

/tmp/libnpth_logcat.so

[/tmp/libnpth_logcat.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 151.101.129.91:443 tcp
NL 143.244.42.32:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 dualstack.p2.shared.global.fastly.net udp
US 151.101.130.49:443 cdn.fwupd.org tcp
GB 185.125.188.61:443 tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libnpth_logcat.so]

Signatures

N/A

Processes

/tmp/libnpth_logcat.so

[/tmp/libnpth_logcat.so]

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-armhf-20231026-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-armhf-20231026-en

Max time kernel

3s

Command Line

[/tmp/libfile_lock.so]

Signatures

N/A

Processes

/tmp/libfile_lock.so

[/tmp/libfile_lock.so]

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

4s

Max time network

9s

Command Line

[/tmp/libnpth_dl.so]

Signatures

N/A

Processes

/tmp/libnpth_dl.so

[/tmp/libnpth_dl.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 151.101.1.91:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
NL 143.244.42.32:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-mipsbe-20231026-en

Max time kernel

3s

Command Line

[/tmp/libnpth_dl.so]

Signatures

N/A

Processes

/tmp/libnpth_dl.so

[/tmp/libnpth_dl.so]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-armhf-20231026-en

Max time kernel

3s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-mipsel-20231026-en

Max time kernel

2s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-mipsel-20231026-en

Max time kernel

3s

Command Line

[/tmp/libnpth_dl.so]

Signatures

N/A

Processes

/tmp/libnpth_dl.so

[/tmp/libnpth_dl.so]

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libnpth_logcat.so]

Signatures

N/A

Processes

/tmp/libnpth_logcat.so

[/tmp/libnpth_logcat.so]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:07

Platform

android-x86-arm-20231023-en

Max time kernel

2796369s

Max time network

143s

Command Line

com.sail.chuckle

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json N/A N/A
N/A /data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.sail.chuckle

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sail.chuckle/app_DynamicOptDex/oat/x86/cX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.164.25:443 jsonplaceholder.typicode.com tcp
NL 216.58.214.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
NL 142.251.36.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp

Files

/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 c7307504191c35338a1fb78c24c4c3a2
SHA1 e7603440cda762b908de3a79429203be9cf312f4
SHA256 b245f6ed1f2b14552828edbfd0a5e439e0d9e0b5ba754d180440d22886edc852
SHA512 dc761219e432b055c2bcf6ceaf5eedd002bfe9363c603e72695830614e6247d8b747b2213451bef4dbbb1127c3fae16f85abdaf9742419d68720946c85057646

/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 2b87c8db8b321c64f38d0fc3ed10188d
SHA1 8c0271853633201883c10b82378ebc1b353c01b1
SHA256 4ac244b05b34d82fd620b4f6bf197d9fec53328c6a4e76d4d3925bbc3cd429fa
SHA512 a96cf84c308595131fbc09ebb5f8c3dc4e3e1fc7afd03ecb5a360630ed13b4d6c544abc517f6e70fa6614825e45d2062a952a77764ea3b96fe4cfbaa72583762

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 5a232af22aa6875cdac8abdba9d38fe8
SHA1 5031e7c9a0b8d98b4df574b49e55c5a26f89c8a5
SHA256 beab77a17d363c5d01cd9d66c39b8105d66254ae06478d9a5aea5840c428adb3
SHA512 a52ac23d8d8c0032c754b446bfe73d16c20e58498a74dbf4bab7637ebfef9cb38c1258e701bc2140c03f2b29a68dc933d8b2e2984e17b020f6135b736109fe9c

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 e18a5c9ce53a530ff9210dcad42fba24
SHA1 a4f960d6f5e5cfaf2276559370e0ef6a07bb7b7a
SHA256 d52e66c8e7e3ee19661ba640bf190d63847246ac8325528be2d078cf07fc59f2
SHA512 996ec35288147c28ac71b3487bfb300f9f34488000ef28eb36cd2ae9d20db97b3bf113cd62e35b1fb09515fa530f710d3c71a136b23433b1ca6b1e8dcb92b511

/data/data/com.sail.chuckle/app_DynamicOptDex/oat/cX.json.cur.prof

MD5 4bfaa3ee1e828e513889ad85ff2b45a1
SHA1 9fbee0e9b93dc7219c48c5f71d27df92e66adb11
SHA256 90b9d44e6bb5e7d2411a266683501610e277b0c2a35c483a45b46150045ca04c
SHA512 5a55cd4452db82d0eea690d369820ae534ff8eb50b052e29e83d7bb47d94391ed1af8f34d3434462734d2e4d8e5c0e350300de0e458f1d3a1e7e11191c90753c

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:04

Platform

win10v2004-20231020-en

Max time kernel

142s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\courses_video_playing.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\courses_video_playing.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

6s

Max time network

9s

Command Line

[/tmp/libbuffer.so]

Signatures

N/A

Processes

/tmp/libbuffer.so

[/tmp/libbuffer.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
NL 143.244.42.32:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
NL 143.244.42.33:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:03

Platform

debian9-mipsel-20231026-en

Max time kernel

3s

Command Line

[/tmp/libbuffer.so]

Signatures

N/A

Processes

/tmp/libbuffer.so

[/tmp/libbuffer.so]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

ubuntu1804-amd64-20231026-en

Max time kernel

6s

Max time network

8s

Command Line

[/tmp/libfile_lock.so]

Signatures

N/A

Processes

/tmp/libfile_lock.so

[/tmp/libfile_lock.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.194.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 151.101.193.91:443 tcp
NL 143.244.42.32:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
NL 195.181.172.27:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:09

Platform

android-x64-arm64-20231023-en

Max time kernel

2796449s

Max time network

172s

Command Line

com.sail.chuckle

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.sail.chuckle

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 orgulama.xyz udp
NL 142.251.36.4:443 tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
US 1.1.1.1:53 orgulama.xyz udp
TR 31.186.11.254:80 orgulama.xyz tcp
US 1.1.1.1:53 orgulama.xyz udp
US 1.1.1.1:53 orgulama.xyz udp

Files

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 c7307504191c35338a1fb78c24c4c3a2
SHA1 e7603440cda762b908de3a79429203be9cf312f4
SHA256 b245f6ed1f2b14552828edbfd0a5e439e0d9e0b5ba754d180440d22886edc852
SHA512 dc761219e432b055c2bcf6ceaf5eedd002bfe9363c603e72695830614e6247d8b747b2213451bef4dbbb1127c3fae16f85abdaf9742419d68720946c85057646

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 2b87c8db8b321c64f38d0fc3ed10188d
SHA1 8c0271853633201883c10b82378ebc1b353c01b1
SHA256 4ac244b05b34d82fd620b4f6bf197d9fec53328c6a4e76d4d3925bbc3cd429fa
SHA512 a96cf84c308595131fbc09ebb5f8c3dc4e3e1fc7afd03ecb5a360630ed13b4d6c544abc517f6e70fa6614825e45d2062a952a77764ea3b96fe4cfbaa72583762

/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

MD5 5a232af22aa6875cdac8abdba9d38fe8
SHA1 5031e7c9a0b8d98b4df574b49e55c5a26f89c8a5
SHA256 beab77a17d363c5d01cd9d66c39b8105d66254ae06478d9a5aea5840c428adb3
SHA512 a52ac23d8d8c0032c754b446bfe73d16c20e58498a74dbf4bab7637ebfef9cb38c1258e701bc2140c03f2b29a68dc933d8b2e2984e17b020f6135b736109fe9c

/data/user/0/com.sail.chuckle/app_DynamicOptDex/oat/cX.json.cur.prof

MD5 042df5dd4189a6a29bc45a4d74461997
SHA1 5f268bcc30476ce7307987686ce76bd6776b5b2c
SHA256 1d49a6756ce64f19379e33cb9611f29ab80a37251be6480337b22aa93d61d16a
SHA512 b71f5a638f5062fb2b0772818e71530a34bf3348d7adecf49f14b34fb079f8ef266aa6bbc451cafcea18b145b188c71c7d825784439b8947c9e3a0def22d5ba5

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:01

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libbuffer.so]

Signatures

N/A

Processes

/tmp/libbuffer.so

[/tmp/libbuffer.so]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-06 22:01

Reported

2023-11-06 22:02

Platform

debian9-mipsbe-20231026-en

Max time kernel

2s

Command Line

[/tmp/libbuffer.so]

Signatures

N/A

Processes

/tmp/libbuffer.so

[/tmp/libbuffer.so]

Network

N/A

Files

N/A