Malware Analysis Report

2024-09-09 13:25

Sample ID 240621-mjk5cswcrb
Target 0f3c4594f761570c38484ac37c0ec52f.apk
SHA256 64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d

Threat Level: Known bad

The file 0f3c4594f761570c38484ac37c0ec52f.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot

Cerberus payload

Cerberus

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Acquires the wake lock

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 10:29

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 10:29

Reported

2024-06-21 10:32

Platform

android-x64-20240611.1-en

Max time kernel

170s

Max time network

163s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 fxancc4fp4.site udp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 bd6a5874d76eacdf8d8fe9a26d0ffea7
SHA1 1a990f5de1b699516812860709a16aa027e6c123
SHA256 f268788554c2225deb2daada3f41b607cac395f0e28f9e003c14dd640b3f005a
SHA512 0bd226632ec766c30f8554cb4c2d3e5e67f4f6fc6316f775221c4fde3ab55a39660202f53f1822c28b0baad3b75001cf864a9f9a46147e00b99309d8d935c51c

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 10:29

Reported

2024-06-21 10:32

Platform

android-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

133s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 fxancc4fp4.site udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 be61b9a04af615effcb164ce60bd3859
SHA1 b5df1cd91c0c74df3069b5e752c6cf1e0620669d
SHA256 0d98b80b7c32e227cae102d74e6473183ca743d02a60ec8a5a0f02356dab33b8
SHA512 7da13ef1fef53b8746029b393dcace7e93da62eafeefeaaea4e4f4bbe9810562810cc7c0290126ceb92f49d6ab74a5781539b0c166a2e711ecd3f75139f584da

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 10:29

Reported

2024-06-21 10:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

177s

Max time network

150s

Command Line

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A
N/A /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/x86/EaaGfe.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 fxancc4fp4.site udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 9d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1 ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA256 0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512 a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 84f673f013c88f1d22d4dca9a326ccc6
SHA1 fe3dd10e9764c70914a318374da696244c43a045
SHA256 e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA512 2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

MD5 81b9a9ccd202d616cc329cb5a6b222f3
SHA1 807994666c81523d80eceff9c9808e19231647e7
SHA256 a4d69a170fbdd94054ee097562a933d87e59feefa702a97d9b6d1d013b369741
SHA512 d617f1336f3597b19f0334e96c8a6b5dc8f7a26f17c740c8afb6a49e47ca52549bb79a2df4864b3ce6d74cb079437f06417cfb84d714c162c3279980ae2c8812

/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

MD5 691dab406f5cb3ee081d8cb146be4e74
SHA1 aded6c943a8b93fa9fac1756172be338163bb7e5
SHA256 d9f251ab63b59d3de8574fa6aa8d8f94fd02965a9015a3a8f6cd674278b197c7
SHA512 57e2dbd9ebbbd6c69f54f175699a4e49ea6d0627298565f64e1587e1526fd706c90b6a146123ebebd2d4dd8db5792074ce6d2cd91d33dead44ad09f1cea1e82d