Malware Analysis Report

2024-10-19 11:56

Sample ID 231114-lzsnpsba4z
Target NEAS.28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b.apk
SHA256 28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b

Threat Level: Known bad

The file NEAS.28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus payload

Cerberus

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-14 09:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-14 09:58

Reported

2023-11-14 10:20

Platform

android-x64-20231023.1-en

Max time kernel

3445120s

Max time network

167s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Processes

com.timber.funny

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.174:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.97.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/data/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 21ae8a4387ee5f8e59e17c0f8092844d
SHA1 3b14aee9af0eb5d97a9d0523a1d0620fe45ab4f0
SHA256 77f13e077a94ed8e5773946f438b50dfd69806c1e2288a1843d2bfd289ce9dfb
SHA512 e4c9e6ed315cf85d4a8c68890fe603912c4707a3a4add7a4b8e3adc34b50a215c7163f34aa3042d6cb863864aba2fb72cb31477ff4e67cef4487cf6a006a8c1c

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-14 09:58

Reported

2023-11-14 10:21

Platform

android-x64-arm64-20231023-en

Max time kernel

3445114s

Max time network

171s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.timber.funny

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.206:443 android.apis.google.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/user/0/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 6e48bb814c39aa73a41052d2f8f9188c
SHA1 3f6d3cff521c9b719f3598814afa31b23f4d6cc7
SHA256 3c62edfd2dc5aa2e3e3e27d6fc4689ad36dbfaf533269b5aa69768ac87c9860e
SHA512 4d39f8a215df523970bb93be684a8225ec0141168bf77cd2ad5e2636904b059d302cec6594016e2942ee303707ea1ac7cdefd8a84f56290cf9f075d4674c3952

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-14 09:58

Reported

2023-11-14 10:20

Platform

android-x86-arm-20231023-en

Max time kernel

3445101s

Max time network

138s

Command Line

com.timber.funny

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A
N/A /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.timber.funny

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.timber.funny/app_DynamicOptDex/oat/x86/oQXZESo.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
NL 216.58.214.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp
US 1.1.1.1:53 comolokko4152ertausicken.gq udp

Files

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 b9ef71e496c13f1d0adb890f09b0a6ac
SHA1 a0b768653d33a43094ec5d325fd14169f8e2943f
SHA256 2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80
SHA512 189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

/data/data/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 27fba65ca18b132e52e55df1dc2d710a
SHA1 45e418b090bbaa73751145cd003ec18d91d68a10
SHA256 72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7
SHA512 1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 09485d0ae12ab18d75eb0ca54efbf49c
SHA1 f2daa5007a2479ee78c74e8f9eb013b946b9962d
SHA256 bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4
SHA512 8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

/data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json

MD5 cd68bd369ad3a243d685c016f4488780
SHA1 7e595a755c12a440d35f37bebb968c25032ff3f9
SHA256 c9ffe96e34b133ef1688d93e51e7d8340f52f6f62cc33121997086313604fb9a
SHA512 0c4c565d5da0cfec92b1ba33475522c74b8e9faacbd29d2b09d1f4daafdc0c5a70517094278f6c311026785a5e51876346dd623ce2ea0974ded69108c93c57a5

/data/data/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof

MD5 0290e28e0ecd613b9b1333fa0367bc36
SHA1 9d1d7d9bb6fc209b7ca26ea35f2ebd88c564860c
SHA256 a916564893d998765a21a87d5910c038302a2a7a0829b233b8d85f36abdd5a75
SHA512 c27f5a6535960c450a2e92cc2454ece00912c21a5f57cd1546775f272c18062c057851f61de7b5bafbc57d72ef6f0f0d2674926ffcc8bb786ca7bd78fb34afb2