Malware Analysis Report

2024-09-09 13:22

Sample ID 240619-hx7haswdmc
Target bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118
SHA256 7787ca51a67c54a82a6e0a0378a2df1e9c3817560838fd3fcfc87d855686ef24
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7787ca51a67c54a82a6e0a0378a2df1e9c3817560838fd3fcfc87d855686ef24

Threat Level: Known bad

The file bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus

Alienbot

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 07:08

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 07:08

Reported

2024-06-19 07:11

Platform

android-x64-20240611.1-en

Max time kernel

176s

Max time network

152s

Command Line

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 tyrantthrone.xyz udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 71af9635dadb0b61d4b994779fe9474f
SHA1 083697ac399e7f27c23e2fa18de400d6c4ae16d3
SHA256 1e99f925152e9fa9ca4b37cd0ce8b29d1b37b0794bd221f70b6107131b4f720c
SHA512 41fc40ca9a8b3d4a8b03c75cfb3d9be4de28191fadca409cd6198b90e30c87b65ef3fbb8428027c2bd7a647a754d25bcfdd0db7f8a49bab108ec192f1ebd39c7

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 890f5dcfe976d040943d0657921187bf
SHA1 fb0954481fa8ba91e44e8a1b156b84ac5bbb5909
SHA256 ce9b54128ae868af7b803eb241e34ee7ba7cef8a6bb9b8d31b58af9129ecfe29
SHA512 2d906524ad87b3efdef39c1dce928a6600c30e1c11fd7a2ffe911a996fc66d24c55324fa6fafa5db9686abacc7d250dc1c346cf9a358b2142d9c227fe7cf9cbf

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/oat/RbnU.json.cur.prof

MD5 d5aa4873045fd2a716ca61a30dd9091a
SHA1 228c282afed2b82689ddedfb7cd9e191dc993dad
SHA256 145cbff44b058d8be32f3b0ef0dadf843ef53318deafa77c33b8986527ca2409
SHA512 1624ac40c7e364b8ef580f8e52b47b827e1ca79ae2ac151914059dc4651388bf7a23cccaac28e2ceb06f8287223a5bfc3ce5433f0dd008016eaa09353bc30711

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 07:08

Reported

2024-06-19 07:11

Platform

android-x64-arm64-20240611.1-en

Max time kernel

170s

Max time network

132s

Command Line

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tyrantthrone.xyz udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 71af9635dadb0b61d4b994779fe9474f
SHA1 083697ac399e7f27c23e2fa18de400d6c4ae16d3
SHA256 1e99f925152e9fa9ca4b37cd0ce8b29d1b37b0794bd221f70b6107131b4f720c
SHA512 41fc40ca9a8b3d4a8b03c75cfb3d9be4de28191fadca409cd6198b90e30c87b65ef3fbb8428027c2bd7a647a754d25bcfdd0db7f8a49bab108ec192f1ebd39c7

/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 890f5dcfe976d040943d0657921187bf
SHA1 fb0954481fa8ba91e44e8a1b156b84ac5bbb5909
SHA256 ce9b54128ae868af7b803eb241e34ee7ba7cef8a6bb9b8d31b58af9129ecfe29
SHA512 2d906524ad87b3efdef39c1dce928a6600c30e1c11fd7a2ffe911a996fc66d24c55324fa6fafa5db9686abacc7d250dc1c346cf9a358b2142d9c227fe7cf9cbf

/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/oat/RbnU.json.cur.prof

MD5 ca227806061aaf9a47b54152711ccb90
SHA1 79495c87208da204284732ef520ef7bdd5f8d9f1
SHA256 90e1d052167734d444875e50942fdc64edfd83453ca04277f2bca9c33bdfe393
SHA512 992fee291ce51e4e3b199fe8889401d0a6b1c9920d9d427629c887e77ca4f491e01c51b1d4adda2aab7d0a0211967370d6444ee6642311ecd9402faa30b78f5b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 07:08

Reported

2024-06-19 07:11

Platform

android-x86-arm-20240611.1-en

Max time kernel

177s

Max time network

142s

Command Line

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A
N/A /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/oat/x86/RbnU.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 tyrantthrone.xyz udp

Files

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 71af9635dadb0b61d4b994779fe9474f
SHA1 083697ac399e7f27c23e2fa18de400d6c4ae16d3
SHA256 1e99f925152e9fa9ca4b37cd0ce8b29d1b37b0794bd221f70b6107131b4f720c
SHA512 41fc40ca9a8b3d4a8b03c75cfb3d9be4de28191fadca409cd6198b90e30c87b65ef3fbb8428027c2bd7a647a754d25bcfdd0db7f8a49bab108ec192f1ebd39c7

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 890f5dcfe976d040943d0657921187bf
SHA1 fb0954481fa8ba91e44e8a1b156b84ac5bbb5909
SHA256 ce9b54128ae868af7b803eb241e34ee7ba7cef8a6bb9b8d31b58af9129ecfe29
SHA512 2d906524ad87b3efdef39c1dce928a6600c30e1c11fd7a2ffe911a996fc66d24c55324fa6fafa5db9686abacc7d250dc1c346cf9a358b2142d9c227fe7cf9cbf

/data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json

MD5 1c54dd48cb9633cc0c9062303fbf3b96
SHA1 6e4c3ed5e83ded57720130c3b43873eb6c911e26
SHA256 676dfe2395d3cb564de70c3d3696cbb79e61e2d35218e22de3d24c6f9654acc9
SHA512 ff3f1eb4296621be06b6f6401bb4a022cedaee7ed4ee6db3a4e6d6b5e6242234d343fc73fc03eae8b85d219cdd3e8fff8b72326544efe53d102fe29b51e63188

/data/data/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/oat/RbnU.json.cur.prof

MD5 85aaa50ad22b3c8bd51207764bfb6f5f
SHA1 40e2e91f6d73ef837960ac61169a5bf21c681b14
SHA256 27f5f97db79578e09720756d8bc25e1219147d9e85d06f2ece55b13f95abaea6
SHA512 b9db613fad504ef8abff9113f3c9a8dfad374a58bd0d93dcb7b9d40e506f95904303df1b53d1d5c3f750b1815cf3f43fc2d0b15f78fdb3f8e67551b00f51ff75