Malware Analysis Report

2024-10-19 11:56

Sample ID 231127-1wxktadc7v
Target 45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e.bin
SHA256 45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e

Threat Level: Known bad

The file 45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus payload

Alienbot

Cerberus

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-27 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:03

Platform

android-x86-arm-20231023-en

Max time kernel

315530s

Max time network

138s

Command Line

com.warrior.priority

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json N/A N/A
N/A /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.warrior.priority

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.warrior.priority/app_DynamicOptDex/oat/x86/XfS.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 172.217.23.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.132.18:443 jsonplaceholder.typicode.com tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ukalasahne.net udp
NL 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 2cfecc18ef54d20cf76d4466e538e892
SHA1 74caeef82f43274d5e82aa8f47879827fe8bfbd4
SHA256 e485e2ce0aa58e74e7882fa406aeda0b717fde1f64e1f999fce1f7dba1b8cef0
SHA512 229d03343b4a960ca2730754be5980ac29e80d82aba58564004d2840e0274929337f664ba76d64b0e8d6ac02c7d75dec888f222cdcfce5aa2921567495e95ac4

/data/data/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 593c0ddd4d2d69fa42bd1cf5015eb248
SHA1 90530f01fd550a0d51d92a5cf726b26b0e9264a4
SHA256 4be618659daa106c1e512dd791b3b6bc396a5802f18f0a3b616304703baa5906
SHA512 bcd1988379092cca3e2202bc99410ccf7e2a62285b8fe43d50294c1fe560d76bef3aacfd57900e6edc5f9d8195c5ce5874fd850baf76233a7d8e47d2f1e084e2

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 eb38e7017072f8078c1662ca8dd7949a
SHA1 a31933d2fdb92bb5b0563d25f8151e0023748c90
SHA256 848117e1861aa672f0ac10f27bf8a8c3adb032262064e8740f51ccb8f382d65a
SHA512 ad5871421bc1e0193e4714d9a8841da818eb8d0e0a0de86b3f9efcdabf2ff61b4aa7de390e11ad695af2e0134c11d0f9c785f91eb6168ca44ae762f01dd1d942

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 29f2103e368650e0d9e7e643dc69b22f
SHA1 b4d347b519aa923a704ce5b7cbe870628a0f70cd
SHA256 b882104ae41264aa3a8236d247700d43f6fa33e1bae851a368de8b8647513f7d
SHA512 504742bbef53ccb0b33f9cedde33e45236473b3686dca35b53e79ab775001bc1e2e16e225feccbd7a09ee0ca18cd7e703a5d451272151d65b6ebc8610f734112

/data/data/com.warrior.priority/app_DynamicOptDex/oat/XfS.json.cur.prof

MD5 0337f32da6938403419340ce5249237e
SHA1 434bede31d498aae89603afced4a43ca694a0827
SHA256 bfaac91c5b3db34e37ce83d15d697d38365ef4c01029a0c54ff1e99c49168096
SHA512 d5ec4fa7f549e9c58777511ad61d8af07b090a2f9a4b2f95a90336bd7b87bb4be367f2657bb91cc81f7945b069dc39b6b8ba8fad0ceaefe55126138568ef5049

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:03

Platform

android-x64-20231023.1-en

Max time kernel

315452s

Max time network

143s

Command Line

com.warrior.priority

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json N/A N/A

Processes

com.warrior.priority

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ukalasahne.net udp
US 1.1.1.1:53 ukalasahne.net udp
NL 142.250.179.132:443 tcp
NL 142.250.27.188:5228 tcp
NL 142.250.179.142:443 tcp
NL 172.217.168.226:443 tcp
US 1.1.1.1:53 ukalasahne.net udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 2cfecc18ef54d20cf76d4466e538e892
SHA1 74caeef82f43274d5e82aa8f47879827fe8bfbd4
SHA256 e485e2ce0aa58e74e7882fa406aeda0b717fde1f64e1f999fce1f7dba1b8cef0
SHA512 229d03343b4a960ca2730754be5980ac29e80d82aba58564004d2840e0274929337f664ba76d64b0e8d6ac02c7d75dec888f222cdcfce5aa2921567495e95ac4

/data/data/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 593c0ddd4d2d69fa42bd1cf5015eb248
SHA1 90530f01fd550a0d51d92a5cf726b26b0e9264a4
SHA256 4be618659daa106c1e512dd791b3b6bc396a5802f18f0a3b616304703baa5906
SHA512 bcd1988379092cca3e2202bc99410ccf7e2a62285b8fe43d50294c1fe560d76bef3aacfd57900e6edc5f9d8195c5ce5874fd850baf76233a7d8e47d2f1e084e2

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 eb38e7017072f8078c1662ca8dd7949a
SHA1 a31933d2fdb92bb5b0563d25f8151e0023748c90
SHA256 848117e1861aa672f0ac10f27bf8a8c3adb032262064e8740f51ccb8f382d65a
SHA512 ad5871421bc1e0193e4714d9a8841da818eb8d0e0a0de86b3f9efcdabf2ff61b4aa7de390e11ad695af2e0134c11d0f9c785f91eb6168ca44ae762f01dd1d942

/data/data/com.warrior.priority/app_DynamicOptDex/oat/XfS.json.cur.prof

MD5 494a3125457f1fd134010bf31808921f
SHA1 2db41323ac85e7c7a277b33855c4e3b7e27253ea
SHA256 b2dabf2f12bebe6c13c5befcb16dee937622ca3b9efc1c7e836dab4851ecc061
SHA512 5bf03271c9a1573db3e5ac63f6b399c7d26c6a8de882076ff491b90436d7e2f60e6b6f8ffb445c7f28828d6606a7388cc9ad250e99c6b35c0feb38ab5cd8a739

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:03

Platform

android-x64-arm64-20231023-en

Max time kernel

315548s

Max time network

160s

Command Line

com.warrior.priority

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.warrior.priority

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ukalasahne.net udp
US 1.1.1.1:53 ukalasahne.net udp

Files

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 2cfecc18ef54d20cf76d4466e538e892
SHA1 74caeef82f43274d5e82aa8f47879827fe8bfbd4
SHA256 e485e2ce0aa58e74e7882fa406aeda0b717fde1f64e1f999fce1f7dba1b8cef0
SHA512 229d03343b4a960ca2730754be5980ac29e80d82aba58564004d2840e0274929337f664ba76d64b0e8d6ac02c7d75dec888f222cdcfce5aa2921567495e95ac4

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 593c0ddd4d2d69fa42bd1cf5015eb248
SHA1 90530f01fd550a0d51d92a5cf726b26b0e9264a4
SHA256 4be618659daa106c1e512dd791b3b6bc396a5802f18f0a3b616304703baa5906
SHA512 bcd1988379092cca3e2202bc99410ccf7e2a62285b8fe43d50294c1fe560d76bef3aacfd57900e6edc5f9d8195c5ce5874fd850baf76233a7d8e47d2f1e084e2

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

MD5 eb38e7017072f8078c1662ca8dd7949a
SHA1 a31933d2fdb92bb5b0563d25f8151e0023748c90
SHA256 848117e1861aa672f0ac10f27bf8a8c3adb032262064e8740f51ccb8f382d65a
SHA512 ad5871421bc1e0193e4714d9a8841da818eb8d0e0a0de86b3f9efcdabf2ff61b4aa7de390e11ad695af2e0134c11d0f9c785f91eb6168ca44ae762f01dd1d942

/data/user/0/com.warrior.priority/app_DynamicOptDex/oat/XfS.json.cur.prof

MD5 6070ada59ffbe31405b3030e7d7644d0
SHA1 141e31cfb4bd63fc15270efd3873fa576557d7e0
SHA256 3ca5d9a2200c1adf64498f344736fa129aa8958a95c4ef08d4236ecb8b93e86d
SHA512 c7dfae531b769e96acade73e2810f4c96f9fb53f7d28fa30e06840aafa67c6a16f7e9ea2ac8eeb176600ab2b0f6e670835d78765a4cc0211fc1e9e3fc33f952b

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:03

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libEncryptorP.so]

Signatures

N/A

Processes

/tmp/libEncryptorP.so

[/tmp/libEncryptorP.so]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:03

Platform

debian9-armhf-20231026-en

Max time kernel

4s

Command Line

[/tmp/libapminsighta.so]

Signatures

N/A

Processes

/tmp/libapminsighta.so

[/tmp/libapminsighta.so]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-27 22:00

Reported

2023-11-27 22:00

Platform

debian9-armhf-20231026-en

Max time kernel

3s

Command Line

[/tmp/libapminsightb.so]

Signatures

N/A

Processes

/tmp/libapminsightb.so

[/tmp/libapminsightb.so]

Network

N/A

Files

N/A