Malware Analysis Report

2024-10-19 11:56

Sample ID 231216-jlv6kaahbp
Target base.apk
SHA256 5362c4101f153eedaca5344cdec4897af155b364dd1609ad19a495af745fcc50
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5362c4101f153eedaca5344cdec4897af155b364dd1609ad19a495af745fcc50

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus

Cerberus payload

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-16 07:45

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-16 07:45

Reported

2023-12-16 07:47

Platform

android-x86-arm-20231215-en

Max time kernel

1905816s

Max time network

97s

Command Line

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A
N/A /data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/x86/mUQtlh.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 addictedlong.site udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
US 1.1.1.1:53 ir.ebaystatic.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.instagram.com udp
GB 142.250.200.14:443 m.youtube.com tcp
GB 2.19.117.31:443 images-na.ssl-images-amazon.com tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 23.56.238.75:80 a.espncdn.com tcp
GB 87.248.114.12:443 s.yimg.com tcp
US 151.101.194.206:443 ir.ebaystatic.com tcp
GB 157.240.214.174:443 www.instagram.com tcp
US 1.1.1.1:53 www.google.com udp
FR 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 172.217.169.35:443 www.google.co.uk tcp
GB 172.217.169.35:443 www.google.co.uk tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
US 1.1.1.1:53 jrtiwhmm udp
US 1.1.1.1:53 dbhyznvlcpku udp
US 1.1.1.1:53 daftceyz udp
US 1.1.1.1:53 consent.google.co.uk udp
GB 172.217.169.14:443 consent.google.co.uk tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.179.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 id.google.co.uk udp
US 64.233.177.94:443 id.google.co.uk tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
FR 216.58.201.110:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 www.trustedantiviruscompare.com udp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 174.138.119.38:443 www.trustedantiviruscompare.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.187.206:443 tcp
GB 142.250.178.2:443 tcp
US 1.1.1.1:53 www.pcworld.com udp
US 151.101.2.165:443 www.pcworld.com tcp
US 1.1.1.1:53 rumcdn.geoedge.be udp
GB 108.156.39.70:443 rumcdn.geoedge.be tcp
US 1.1.1.1:53 cdn.onthe.io udp
US 1.1.1.1:53 stats.wp.com udp
US 1.1.1.1:53 use.typekit.net udp
US 1.1.1.1:53 cdn.subscribers.com udp
GB 23.56.238.65:443 use.typekit.net tcp
US 172.67.43.60:443 cdn.subscribers.com tcp
DE 116.202.11.242:443 cdn.onthe.io tcp
US 1.1.1.1:53 b2c-contenthub.com udp
US 192.0.76.3:443 stats.wp.com tcp
US 1.1.1.1:53 cse.google.com udp
US 1.1.1.1:53 cmpv2.pcworld.com udp
US 192.0.66.80:443 b2c-contenthub.com tcp
US 192.0.66.80:443 b2c-contenthub.com tcp
US 192.0.66.80:443 b2c-contenthub.com tcp
US 192.0.66.80:443 b2c-contenthub.com tcp
US 192.0.66.80:443 b2c-contenthub.com tcp
GB 52.84.90.34:443 cmpv2.pcworld.com tcp
GB 52.84.90.34:443 cmpv2.pcworld.com tcp
US 172.67.43.60:443 cdn.subscribers.com tcp
US 1.1.1.1:53 p.typekit.net udp
GB 23.56.238.74:443 p.typekit.net tcp
GB 23.56.238.65:443 use.typekit.net tcp
GB 52.84.90.34:443 cmpv2.pcworld.com tcp
US 1.1.1.1:53 pixel.wp.com udp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
US 1.1.1.1:53 ccpa-service.sp-prod.net udp
US 3.90.23.49:443 ccpa-service.sp-prod.net tcp
US 1.1.1.1:53 functions.adnami.io udp
US 1.1.1.1:53 w.soundcloud.com udp
GB 2.19.117.74:443 functions.adnami.io tcp
GB 99.86.114.59:443 w.soundcloud.com tcp
US 1.1.1.1:53 cdn-magiclinks.trackonomics.net udp
GB 99.86.114.67:443 cdn-magiclinks.trackonomics.net tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.187.206:443 clients1.google.com tcp
US 1.1.1.1:53 macro.adnami.io udp
GB 2.19.117.96:443 macro.adnami.io tcp
US 1.1.1.1:53 ampcid.google.com udp
GB 172.217.16.238:443 ampcid.google.com tcp
US 1.1.1.1:53 api.kickfire.com udp
US 52.89.253.156:443 api.kickfire.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 images.idgesg.net udp
US 1.1.1.1:53 fr-actions.trackonomics.net udp
US 1.1.1.1:53 trx-hub.com udp
GB 108.138.217.54:443 trx-hub.com tcp
GB 18.165.201.10:443 fr-actions.trackonomics.net tcp

Files

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 fb33eb463732cb22c9fa6281af32f814
SHA1 9b74cc5a6bcb8061a1d93e818356990a878bbf99
SHA256 aa8cc1cf5ec846eafb1d3c2f9d19c92350c850288470ad6c29ddfcf687bf3586
SHA512 93dc2f9c78184b59c349f28d1bd13e057d54c1de8a29f38a7935b9c8fb60567319d30554d7024be0113a702a33c33b853367a47df1dc2af9f3ef1b495ec8f42f

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 b23525a9986a5d1e869d8fdb5f775130
SHA1 1d5d1e56ebd86459c34dcbf6e60a5241cc9c1674
SHA256 653d45767b0b59753709b4b402b6539ee899d5d37dfa84598ebe11d927a62139
SHA512 a84824fe9efc6f63495cc8c334cfa7a6ba9d2e0d478b5e3bb4f03a6012f3e6483ae1d9ae6c409f3b79949227ef6257a07f313d35c4b474326e20a139f65f6146

/data/user/0/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/mUQtlh.json

MD5 3658d6421c98e35e139ab334706feac2
SHA1 eb7d934c51284e607483dea3ab5078788bf77ca0
SHA256 127d36a740b3c03c854d83af0c27f454ca17ba97c3bbe2763ce5fef044af124c
SHA512 e22b7e2e6e7b3717536bf295e47e45592dfdb7699ad9e61edf0a58b0ed0d8839e7f85321ba67298bf95846b9e9ee74b1ad5daa71711c464f9297a62a2695a86e

/data/data/foztfoooubzwjwkapdthkpmw.zifgisscqs.gylqexbgzbysbeituofejtazcwh/app_DynamicOptDex/oat/mUQtlh.json.cur.prof

MD5 f073624093d8c12c560c9cac6df433dd
SHA1 e1a2ce39466c5b5729032e42affa1c8755090521
SHA256 a05974d1d809975e136198844f19398174703f147ecd74e0a3f01b2907575b34
SHA512 1a18f67a849c8237e08068eb3413e48f150fe6eb9b38f256171ac615acc0b92126c871b4330ae0789b185e61fb68a7c4ea144a74bf5812ba058a967f93579908