Malware Analysis Report

2024-10-19 11:55

Sample ID 231216-1w6hqadaen
Target 76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.bin
SHA256 76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174

Threat Level: Known bad

The file 76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Cerberus

Alienbot

Cerberus payload

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-16 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-16 22:01

Reported

2023-12-16 22:06

Platform

android-x86-arm-20231215-en

Max time kernel

1957300s

Max time network

130s

Command Line

garlic.picnic.hungry

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

garlic.picnic.hungry

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/x86/toMxiA.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
FR 216.58.201.110:443 tcp
FR 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 asayratermalhotel.xyz udp

Files

/data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 a96ec73a6993ae5accddf47675ac5ca7
SHA1 63937376378c3fade65c3dd544bfc59d9a7850fd
SHA256 772ca1b6b3231c91284f0e64187a47315ff5a3b81decac76600dd30b3b303e4b
SHA512 77eac3a89d4985c11286c3d46fa60d057eca907c0bbfe23291aa67c671fb0b023572768152ebadc7c7a97fca93eb1a8674a737ef405d77f2fbb6acdf49dcc7d6

/data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 7f9182268a63ef30c1ccca408a37ace8
SHA1 71d54110c93e7cc9038376dd0a0b6267d58577b2
SHA256 9872e545d5d52bbe812541012ec6b22696850c3d15d8827ec73f18708ae1b03e
SHA512 400bb73b828dd9f745fbd5f03770e6fb3db8466083477879f8da8c96e5aecd8b306654ee82d879de8a1b36b755c965fdf66942a9753b90e79a5977aa4adf09f9

/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 8f4d492f4893d92086d06a0806ef40d1
SHA1 df5327a43bd8e0b3a604abe25b075a2491349383
SHA256 c7297159bbc9592ceb716557ca93b245ada4aaa78231e69384881755f890dcc2
SHA512 eda22971c34531f88e863a856620b7ff01d695ebc44fe4d0b07d06b665cf85cf06776ce4e82b69862089f049fd8c4fe698b3a6959703b0fa3966446e75af4ff9

/data/data/garlic.picnic.hungry/app_DynamicOptDex/oat/toMxiA.json.cur.prof

MD5 d709cfaaa59e09b5797aeca69275f659
SHA1 bdbbd03d8ad97a4788c3bafedf7faddfa17b7d36
SHA256 2f4f83ec1de25632ea3947a4b49fb602e0b2d268e73b05fc2cc3ce4f9b3b1f79
SHA512 f0b91f8fa06508f8bc68d867dade088a26d5402d0aabcf5d59b2f41146f444ccfe6f4209eff142a48d4d050fa950d445fd05434237f72170a6adaa52cb5c14c1

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-16 22:01

Reported

2023-12-16 22:04

Platform

android-x64-20231215-en

Max time kernel

1957222s

Max time network

160s

Command Line

garlic.picnic.hungry

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

garlic.picnic.hungry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 asayratermalhotel.xyz udp
FR 216.58.201.100:443 tcp
FR 216.58.201.100:443 tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 a96ec73a6993ae5accddf47675ac5ca7
SHA1 63937376378c3fade65c3dd544bfc59d9a7850fd
SHA256 772ca1b6b3231c91284f0e64187a47315ff5a3b81decac76600dd30b3b303e4b
SHA512 77eac3a89d4985c11286c3d46fa60d057eca907c0bbfe23291aa67c671fb0b023572768152ebadc7c7a97fca93eb1a8674a737ef405d77f2fbb6acdf49dcc7d6

/data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 7f9182268a63ef30c1ccca408a37ace8
SHA1 71d54110c93e7cc9038376dd0a0b6267d58577b2
SHA256 9872e545d5d52bbe812541012ec6b22696850c3d15d8827ec73f18708ae1b03e
SHA512 400bb73b828dd9f745fbd5f03770e6fb3db8466083477879f8da8c96e5aecd8b306654ee82d879de8a1b36b755c965fdf66942a9753b90e79a5977aa4adf09f9

/data/data/garlic.picnic.hungry/app_DynamicOptDex/oat/toMxiA.json.cur.prof

MD5 421b6d5c1562490f76f98c10fc1f02f8
SHA1 b726d38499817006ac58df2196a257606052f1d6
SHA256 62b248594289d0d5870086cc1805d723803e7aa2292cfb966d29eb7963a21758
SHA512 5fa4d6d4aff7ae9415b0ddae82a54e558153d2062ffdf40f100c1c94e451e106b10869d6a372f41818f9f6d7e649b33d460f6dcc9f5372c91c1bdbc5206e54b9

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-16 22:01

Reported

2023-12-16 22:06

Platform

android-x64-arm64-20231215-en

Max time kernel

1957313s

Max time network

149s

Command Line

garlic.picnic.hungry

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A
N/A /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

garlic.picnic.hungry

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 asayratermalhotel.xyz udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 a96ec73a6993ae5accddf47675ac5ca7
SHA1 63937376378c3fade65c3dd544bfc59d9a7850fd
SHA256 772ca1b6b3231c91284f0e64187a47315ff5a3b81decac76600dd30b3b303e4b
SHA512 77eac3a89d4985c11286c3d46fa60d057eca907c0bbfe23291aa67c671fb0b023572768152ebadc7c7a97fca93eb1a8674a737ef405d77f2fbb6acdf49dcc7d6

/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json

MD5 7f9182268a63ef30c1ccca408a37ace8
SHA1 71d54110c93e7cc9038376dd0a0b6267d58577b2
SHA256 9872e545d5d52bbe812541012ec6b22696850c3d15d8827ec73f18708ae1b03e
SHA512 400bb73b828dd9f745fbd5f03770e6fb3db8466083477879f8da8c96e5aecd8b306654ee82d879de8a1b36b755c965fdf66942a9753b90e79a5977aa4adf09f9

/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/toMxiA.json.cur.prof

MD5 9713490fe3a99c09b121f2ec2f0155f1
SHA1 1ccfde193d1252618c53ffc761dd644faa6fb3ff
SHA256 3b6c39aae6f9c06acdce0e341c733ca3accfa3b7dfa9bca8d1a8a60f9c382348
SHA512 00225a92338904ce5402fa906caba9d4ce6b9e8fba4a7b8fa1b1298a64d6d45b0366306e6e10b3d9d06c8a897ef1f8f54482126aade6fa584f046230fff2ff9a