Malware Analysis Report

2024-10-19 11:57

Sample ID 231204-1wsa4afg7w
Target 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6.bin
SHA256 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6

Threat Level: Known bad

The file 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus payload

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-04 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-04 22:00

Reported

2023-12-04 22:03

Platform

android-x86-arm-20231023-en

Max time kernel

920325s

Max time network

133s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.side.husband

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.side.husband/app_DynamicOptDex/oat/x86/mfOdosA.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.234:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.165.25:443 jsonplaceholder.typicode.com tcp
NL 142.251.36.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
US 1.1.1.1:53 bpargastasyas.ml udp
NL 142.251.36.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 71c46fd2fecee9eda372ed4dd410e13e
SHA1 9f4f16d3572e4218047d5c48fa425a5cd16247b4
SHA256 86e90910a7579bb45649cfef0bcf24c8c6d6dbd24cb9009ba402a8a21ac391f4
SHA512 e62874e7daa03b5a47d01d7db3e3d82e0e77bcb50272b6662b2a9b9630045624f8268f942afa2c346cb693bcbbbfcae2179b74e918a0f692eb8677d6588ed8db

/data/data/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 99b09cb11f05d1d9312e0b25340bc1b3
SHA1 4f7b8f64d224cde6b40160325b602fd87abf7a2e
SHA256 3ff696b0e3dc9106638109ae1b20689f8f1c50c3df5792975401305b04084c3a
SHA512 c48aa2e8f1e291571d6217b6f54ac5f9d63650d904a85083cfc843cdcc335d901cca0c69e11dd38e81ef53b277b0753c7ac7e1fea2f82917b43ed8719dcacef8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-04 22:00

Reported

2023-12-04 22:03

Platform

android-x64-20231023.1-en

Max time kernel

920338s

Max time network

170s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Processes

com.side.husband

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.165.25:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 bpargastasyas.ml udp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.206:443 android.apis.google.com tcp
US 1.1.1.1:53 bpargastasyas.ml udp
US 1.1.1.1:53 bpargastasyas.ml udp
DE 172.217.23.194:443 tcp

Files

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/data/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 e69464ee9b2dbefbbb1ea3e0adcac01d
SHA1 9b3ac8900ad0929049c215b65b1173299b1e4787
SHA256 36c8ff550cc1e74dd2b01cd483061eb7011efb038507b310a14be9e1924e512e
SHA512 c33622574a414b70006a1e0a30b37a79df916eab4ad20d97d4b146e0baecce170837dbd3d3a1ccd6094f08d50c7ed7b7727188113d6dba883b66f7e128faf65d

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-04 22:00

Reported

2023-12-04 22:03

Platform

android-x64-arm64-20231023-en

Max time kernel

920337s

Max time network

155s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.side.husband

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.164.25:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 bpargastasyas.ml udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/user/0/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 ef7c8229d637843bc86fc7199dbbd54d
SHA1 9f04941de5e96e6f515d77080c70c495a470bb0e
SHA256 33f4abb01dae37691631aa2c8bacabb7d176f805afef35f4902eb5865bf85de0
SHA512 1325209e22f5db63f4a9791ee6e7b3355b389358b91b3f4d7b36372007f655961e7223910b08622dacb23fa6b063edb741bbd5114203dda0f2145f7e4e3802bd