Malware Analysis Report

2024-09-09 13:25

Sample ID 240621-ma2qrawbkf
Target 0f3c4594f761570c38484ac37c0ec52f.apk
SHA256 64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d

Threat Level: Known bad

The file 0f3c4594f761570c38484ac37c0ec52f.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus

Cerberus payload

Alienbot

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 10:16

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 10:16

Reported

2024-06-21 10:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

74s

Max time network

82s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/x86/EaaGfe.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 fxancc4fp4.site udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 81b9a9ccd202d616cc329cb5a6b222f3
SHA1 807994666c81523d80eceff9c9808e19231647e7
SHA256 a4d69a170fbdd94054ee097562a933d87e59feefa702a97d9b6d1d013b369741
SHA512 d617f1336f3597b19f0334e96c8a6b5dc8f7a26f17c740c8afb6a49e47ca52549bb79a2df4864b3ce6d74cb079437f06417cfb84d714c162c3279980ae2c8812

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 c9e68dd78edf7d9061c5b9d36485273a
SHA1 adeb33505e0fbf428a635ae8f5646ef5e8038e5b
SHA256 554c067c91a83fc8b5f4fb5f3c97c7058a149577b9485170f1672b2c0b83955a
SHA512 1d86a9487915bbd17f06181b2eb51792d0e9bdbdfe10004605b1ead0d3f251858f66c8ca7128ad9e9e5e285bfc128031f897a9881a2fd85a04a2c6e3eb7c8fbb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 10:16

Reported

2024-06-21 10:23

Platform

android-x64-20240611.1-en

Max time kernel

402s

Max time network

363s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 fxancc4fp4.site udp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 96c9dc22a6ca42c14cca36e66e28ba1a
SHA1 254604185ec244cbe78b8f921440dea1b8a4bcdc
SHA256 9d002ba32aee09221d147a1e936c941af0a2d184e2eafa8bf06b60c002988929
SHA512 3296f56be7703ccf38d80d948b0353494287a5c7377c376de88b5c63736196ec44fb134671bf019f943cc84f15ecbad77b22a18ebfcd0b551083d3554090f700

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 10:16

Reported

2024-06-21 10:21

Platform

android-x64-arm64-20240611.1-en

Max time kernel

289s

Max time network

308s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 fxancc4fp4.site udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.200.35:443 tcp

Files

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 be61b9a04af615effcb164ce60bd3859
SHA1 b5df1cd91c0c74df3069b5e752c6cf1e0620669d
SHA256 0d98b80b7c32e227cae102d74e6473183ca743d02a60ec8a5a0f02356dab33b8
SHA512 7da13ef1fef53b8746029b393dcace7e93da62eafeefeaaea4e4f4bbe9810562810cc7c0290126ceb92f49d6ab74a5781539b0c166a2e711ecd3f75139f584da