Malware Analysis Report

2024-09-09 13:39

Sample ID 240603-mvgw3sbg9w
Target 873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f
SHA256 873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f

Threat Level: Known bad

The file 873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus payload

Cerberus

Alienbot

Removes its main activity from the application launcher

Prevents application removal

Makes use of the framework's Accessibility service

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries account information for other applications stored on the device

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Schedules tasks to execute at a specified time

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:47

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:46

Reported

2024-06-03 10:50

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

130s

Command Line

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/x86/jwoY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 sariyenibez.xyz udp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 kovalkovalihtila.xyz udp

Files

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 a6a64d35a848fd9f22231d8e5621e899
SHA1 6252c00e009a3a45f8acc25470b7a189b6cd27bf
SHA256 91d2c9cb2018d5b2a03fcf58bf0e0a64f492058b1b5f7d54224c0fe709f5b455
SHA512 77f7b1b0bcd7b4e0831bee9aae69a99f1bcfbca6ec66fd6107424d2287d2f1bf3939c8a0b232f4c96a7d57a7d203db9b836c13c939c409e178fcc97f44dfb421

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 3fa6e1269691621bf38a9a5b477545e3
SHA1 4e176ecbac81bcb08ac4ec0ce4e3a27526e348f2
SHA256 edb4530036d0ad2160ac4f9b3b65cf6224ac58e7ed6d9501585a571d14b26d97
SHA512 858c918b794dc3b4a7eb877ad6e4054352d76240c7b1098046a2d78f6f6cfb38c806300ba54e73a59dc8215d7c653f18d707e5629093b4f80d2094df3c494679

/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 8642d9879ea78e39ab29216f82ab6203
SHA1 3cc8f74d0e4069328e4ba9637367aa579f9e5f7e
SHA256 1f384fd4efc61006a34395bdb7f4fd32c94471422fe30c00dd4b6fb960ee4623
SHA512 bdf331ba186bd9cee2ede29980bcc34dbc8bd3e6733825607475e64109737cd7ec9b8e2cbe9f44c70f3a7bc766641e739820d92f4db3b9f8647bcd3ab18d6f2b

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/jwoY.json.cur.prof

MD5 eb373a08d243becc8c2bfc8ebc964ad7
SHA1 dccee054b18b55449cd7bd50806a70ef9c028b26
SHA256 7eb05b19b8521c2e4b3e3927e575c8c70702551c892884d72cbfe26448c4fac3
SHA512 0686ea63a89d5c4127625e15a4456ff64559de8c83c9acb3fb7ee82d5259b352643933549691fe38e3e3caca5bae69413f6066213d0f8143e21bf0353d71906a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:46

Reported

2024-06-03 10:50

Platform

android-x64-20240514-en

Max time kernel

177s

Max time network

155s

Command Line

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sariyenibez.xyz udp
US 1.1.1.1:53 kovalkovalihtila.xyz udp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 a6a64d35a848fd9f22231d8e5621e899
SHA1 6252c00e009a3a45f8acc25470b7a189b6cd27bf
SHA256 91d2c9cb2018d5b2a03fcf58bf0e0a64f492058b1b5f7d54224c0fe709f5b455
SHA512 77f7b1b0bcd7b4e0831bee9aae69a99f1bcfbca6ec66fd6107424d2287d2f1bf3939c8a0b232f4c96a7d57a7d203db9b836c13c939c409e178fcc97f44dfb421

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 3fa6e1269691621bf38a9a5b477545e3
SHA1 4e176ecbac81bcb08ac4ec0ce4e3a27526e348f2
SHA256 edb4530036d0ad2160ac4f9b3b65cf6224ac58e7ed6d9501585a571d14b26d97
SHA512 858c918b794dc3b4a7eb877ad6e4054352d76240c7b1098046a2d78f6f6cfb38c806300ba54e73a59dc8215d7c653f18d707e5629093b4f80d2094df3c494679

/data/data/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/jwoY.json.cur.prof

MD5 224d54004ca4471839ccdfbc22c8c826
SHA1 54ed8e06266aab3d3b91e02a9e91ffd9206f62bc
SHA256 3af9ccde859a4a35184bccdeb4c6e33e1043302f51ee7493e6628213e93a7e83
SHA512 b12f9b118d6808ea36c8d8335242004457fafeb981855e2477409713455b4cbba1ffc8ba62ddefbf9769d699d3400796589a0570a4483c6aef1cffb3f714feda

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-03 10:46

Reported

2024-06-03 10:50

Platform

android-x64-arm64-20240514-en

Max time kernel

176s

Max time network

132s

Command Line

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A
N/A /data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sariyenibez.xyz udp
US 1.1.1.1:53 kovalkovalihtila.xyz udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 a6a64d35a848fd9f22231d8e5621e899
SHA1 6252c00e009a3a45f8acc25470b7a189b6cd27bf
SHA256 91d2c9cb2018d5b2a03fcf58bf0e0a64f492058b1b5f7d54224c0fe709f5b455
SHA512 77f7b1b0bcd7b4e0831bee9aae69a99f1bcfbca6ec66fd6107424d2287d2f1bf3939c8a0b232f4c96a7d57a7d203db9b836c13c939c409e178fcc97f44dfb421

/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

MD5 3fa6e1269691621bf38a9a5b477545e3
SHA1 4e176ecbac81bcb08ac4ec0ce4e3a27526e348f2
SHA256 edb4530036d0ad2160ac4f9b3b65cf6224ac58e7ed6d9501585a571d14b26d97
SHA512 858c918b794dc3b4a7eb877ad6e4054352d76240c7b1098046a2d78f6f6cfb38c806300ba54e73a59dc8215d7c653f18d707e5629093b4f80d2094df3c494679

/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/jwoY.json.cur.prof

MD5 b254535dc5236bc6557e6460ab609612
SHA1 7935e9ace318470784c8b7bcc9c13870408f3b0e
SHA256 548004501548f7a8b163367b747c3c7ac18d5f69e36b747fee2ad4f26db0cd29
SHA512 c66ee60a8b50f1ee4c3d837aeb627a33ab4e3f83226a0d194c688f4dc047eed6af815c9088fad71fd1dfe9484f746f9a5a35695e9a4cde71e0c221dd391ed78c