Malware Analysis Report

2024-10-19 11:55

Sample ID 231113-lg2tnabh2x
Target base.apk
SHA256 28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus payload

Cerberus

Alienbot

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-13 09:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-13 09:31

Reported

2023-11-13 09:33

Platform

android-x86-arm-20231023-en

Max time kernel

3355927s

Max time network

140s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.timber.funny

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.timber.funny/app_DynamicOptDex/oat/x86/oQXZESo.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
NL 216.58.214.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
NL 142.251.36.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 cd68bd369ad3a243d685c016f4488780
SHA1 7e595a755c12a440d35f37bebb968c25032ff3f9
SHA256 c9ffe96e34b133ef1688d93e51e7d8340f52f6f62cc33121997086313604fb9a
SHA512 0c4c565d5da0cfec92b1ba33475522c74b8e9faacbd29d2b09d1f4daafdc0c5a70517094278f6c311026785a5e51876346dd623ce2ea0974ded69108c93c57a5

/data/data/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 0638e9065ffd917108b24dbbffe8b9a7
SHA1 c3ea6e8dcfa401afdf2d7f78fc63acf45e3e7eab
SHA256 ce7aae2635bb1cfd608d14de7ba00a1d46e8005f3f12c140b245ed7ecc21c648
SHA512 a053447f177bafb1efcff8de864eaaa731552d2a036d6a59e99a3cffa82e97f75ff87131bb252c809d7f333897cd2b5ccd5ec35533a7f248868626c925426a36

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-13 09:31

Reported

2023-11-13 09:33

Platform

android-x64-20231023.1-en

Max time kernel

3355946s

Max time network

166s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Processes

com.timber.funny

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.174:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/data/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 5baf2d4e57f8b285c3d68326260bc08b
SHA1 3365809b64d6c8f5869733e383f83cd3ba3a0035
SHA256 8c2d45716a1c42c931d86aa695b17c4a578ea2c3b24348474f0c337b4b05b088
SHA512 074fd8730d9cf28463615256abe89393690575dd7608adbccf743f28ec9a20c4070a6e3014e87fe36ad0454c40d051184cd2c5473fb9e8287698ee6275d20892

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-13 09:31

Reported

2023-11-13 09:34

Platform

android-x64-arm64-20231023-en

Max time kernel

3355947s

Max time network

159s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.timber.funny

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.234:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
NL 142.251.36.4:443 tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/user/0/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 2884231a028bd7d1e42b07023a88d22c
SHA1 0a56432a214cc10b5b5fc8ddefbff74c602c9442
SHA256 93d581db0face5a81e1005e9df216a122132f2a4507efa2d6afa081a643725fb
SHA512 4920e71ed460fb4ed44fc13433a4bde9d813460ccb34a52ee4af8409c69f04e9b0e1ea2d41a4c59110421dbbe5fbd9e9bc04ca8aea6d1cae889d625d8478d777