Malware Analysis Report

2024-10-19 11:55

Sample ID 231214-pk183sdedq
Target base.apk
SHA256 5362c4101f153eedaca5344cdec4897af155b364dd1609ad19a495af745fcc50
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5362c4101f153eedaca5344cdec4897af155b364dd1609ad19a495af745fcc50

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-14 12:24

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-14 12:24

Reported

2023-12-14 12:26

Platform

android-x86-arm-20231211-en

Max time kernel

1749738s

Max time network

143s

Command Line

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/x86/mUQtlh.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 addictedlong.site udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp

Files

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 fb33eb463732cb22c9fa6281af32f814
SHA1 9b74cc5a6bcb8061a1d93e818356990a878bbf99
SHA256 aa8cc1cf5ec846eafb1d3c2f9d19c92350c850288470ad6c29ddfcf687bf3586
SHA512 93dc2f9c78184b59c349f28d1bd13e057d54c1de8a29f38a7935b9c8fb60567319d30554d7024be0113a702a33c33b853367a47df1dc2af9f3ef1b495ec8f42f

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 b23525a9986a5d1e869d8fdb5f775130
SHA1 1d5d1e56ebd86459c34dcbf6e60a5241cc9c1674
SHA256 653d45767b0b59753709b4b402b6539ee899d5d37dfa84598ebe11d927a62139
SHA512 a84824fe9efc6f63495cc8c334cfa7a6ba9d2e0d478b5e3bb4f03a6012f3e6483ae1d9ae6c409f3b79949227ef6257a07f313d35c4b474326e20a139f65f6146

/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 3658d6421c98e35e139ab334706feac2
SHA1 eb7d934c51284e607483dea3ab5078788bf77ca0
SHA256 127d36a740b3c03c854d83af0c27f454ca17ba97c3bbe2763ce5fef044af124c
SHA512 e22b7e2e6e7b3717536bf295e47e45592dfdb7699ad9e61edf0a58b0ed0d8839e7f85321ba67298bf95846b9e9ee74b1ad5daa71711c464f9297a62a2695a86e

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/mUQtlh.json.cur.prof

MD5 e1d9f03bd456e88558a50a52468315d6
SHA1 1b4ba342839de88eab60e2e3be95ae547bd1be46
SHA256 1a37410ab0c4e2191d36e16838b067d697b6e437374dd00bdcb88814d2f1746b
SHA512 f4e01b1b0c2886eba714755eb57d76a3760576a4becff7d51a76e725b703a7af9239ec06770c6ec7297e4f390427b59575c45f66b0a5ee8922078737844188b7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-14 12:24

Reported

2023-12-14 12:26

Platform

android-x64-20231211-en

Max time kernel

1749749s

Max time network

145s

Command Line

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A

Processes

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 addictedlong.site udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 fb33eb463732cb22c9fa6281af32f814
SHA1 9b74cc5a6bcb8061a1d93e818356990a878bbf99
SHA256 aa8cc1cf5ec846eafb1d3c2f9d19c92350c850288470ad6c29ddfcf687bf3586
SHA512 93dc2f9c78184b59c349f28d1bd13e057d54c1de8a29f38a7935b9c8fb60567319d30554d7024be0113a702a33c33b853367a47df1dc2af9f3ef1b495ec8f42f

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 b23525a9986a5d1e869d8fdb5f775130
SHA1 1d5d1e56ebd86459c34dcbf6e60a5241cc9c1674
SHA256 653d45767b0b59753709b4b402b6539ee899d5d37dfa84598ebe11d927a62139
SHA512 a84824fe9efc6f63495cc8c334cfa7a6ba9d2e0d478b5e3bb4f03a6012f3e6483ae1d9ae6c409f3b79949227ef6257a07f313d35c4b474326e20a139f65f6146

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/mUQtlh.json.cur.prof

MD5 018d922025953412cd3f79e9e3258e23
SHA1 f32439d854167f3fea35fc2f66aab12c77e09b4c
SHA256 9c1677c72348a2251a386920fbf894f9881ec8a14698031f381c31e39d9b3e0d
SHA512 6ae9238f44884eff7ad33404668b312d02288474f0763804c01ef868bc011a670f66c795c8b086868b568f71465cd72d936a151f3c8226e05f89e82764411ad5

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-14 12:24

Reported

2023-12-14 12:26

Platform

android-x64-arm64-20231211-en

Max time kernel

1749743s

Max time network

150s

Command Line

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Network

Country Destination Domain Proto
FR 216.58.201.106:443 udp
GB 142.250.200.14:443 udp
N/A 224.0.0.251:5353 udp
FR 216.58.204.74:443 tcp
FR 216.58.204.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 addictedlong.site udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 fb33eb463732cb22c9fa6281af32f814
SHA1 9b74cc5a6bcb8061a1d93e818356990a878bbf99
SHA256 aa8cc1cf5ec846eafb1d3c2f9d19c92350c850288470ad6c29ddfcf687bf3586
SHA512 93dc2f9c78184b59c349f28d1bd13e057d54c1de8a29f38a7935b9c8fb60567319d30554d7024be0113a702a33c33b853367a47df1dc2af9f3ef1b495ec8f42f

/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 b23525a9986a5d1e869d8fdb5f775130
SHA1 1d5d1e56ebd86459c34dcbf6e60a5241cc9c1674
SHA256 653d45767b0b59753709b4b402b6539ee899d5d37dfa84598ebe11d927a62139
SHA512 a84824fe9efc6f63495cc8c334cfa7a6ba9d2e0d478b5e3bb4f03a6012f3e6483ae1d9ae6c409f3b79949227ef6257a07f313d35c4b474326e20a139f65f6146

/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/mUQtlh.json.cur.prof

MD5 1823397e503d710f81ab06daca22beca
SHA1 5a03413ff4dcb1482eb1fc26ff6eab22de21bb25
SHA256 8bc28411f611906d8207a45fab3cddcf4adcfde60952840770bf723a70aaefc5
SHA512 92776d2e496171c5e73943b30e3927e0484155f79da56c191ff31116ffd0154805df22489f1317f75929e7f4ea2ad740ca6196ae8e589190631b29a8987c53a3