Malware Analysis Report

2025-01-19 05:13

Sample ID 241125-nr29aa1mdl
Target 9b3baa70f573d608d580054af58a8b98_JaffaCakes118
SHA256 da43b86847f10c4578be3c80104729f243c6724d9f151bf8cfe087d09a9f74b9
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da43b86847f10c4578be3c80104729f243c6724d9f151bf8cfe087d09a9f74b9

Threat Level: Known bad

The file 9b3baa70f573d608d580054af58a8b98_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus payload

Cerberus family

Alienbot

Alienbot family

Cerberus

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 11:38

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 11:38

Reported

2024-11-25 11:41

Platform

android-x86-arm-20240624-en

Max time network

137s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.3:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.34:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.3:443 tcp
GB 216.58.201.110:443 tcp
GB 142.250.200.3:443 tcp
GB 142.250.200.3:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.201.106:443 mdh-pa.googleapis.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 11:38

Reported

2024-11-25 11:41

Platform

android-x64-20240624-en

Max time kernel

139s

Max time network

142s

Command Line

group.finish.index

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json N/A N/A
N/A /data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

group.finish.index

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 buralarnelernerelerhem.club udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/group.finish.index/app_DynamicOptDex/PWOCbS.json

MD5 c9551a9688b56dfb5563db0fb313a346
SHA1 3014ae052742bc195219ea7c9eaef7018496be4c
SHA256 5fa92ba0bc6344c852d7bdfe2b934fac8bf1252b6c96f7a0fd1b84ce158e58f3
SHA512 85cd42b4a04bbf2da38e6b9f74febabd965ebe74897bbacd72e68d5509d84c3b064e68840578dfa45ed74d3705503a5d81cea00e1eb0dd6b9ab3ae6adb375641

/data/data/group.finish.index/app_DynamicOptDex/PWOCbS.json

MD5 145268dbc6eaa50de1df4f9c41fb9c46
SHA1 4efbb3a97f6efa0b6c8e387d7f7a303a83017e4c
SHA256 c3b27dc580522a844764b5c98df311c53a25715f134148c0865d97e428aa38fc
SHA512 d7dd7c529e1a0b9812e1796704460ada699db83142cfdeb97bb93b4e05da2c063b4adfdcbd83d696f7158a6f7e5ab0a4b8c535b9e4dd93eac957835a53eaf5b4

/data/data/group.finish.index/app_DynamicOptDex/oat/PWOCbS.json.cur.prof

MD5 7c3a9f079b9f391ff2b27775e4021e8f
SHA1 9b7a5209f642aad0f60acf91d3b53d1d5c1d12a9
SHA256 7d7eae4139f5bda2165d05c22d811f962df22888acca2259742a0886f2204bb1
SHA512 6cb3f71f3ec17b97ff1f9f444cd8f92877726bf3f8e300959f0cfa6ecaec96b1cc5eccdebc9209d967daa393c5ab55c99980d971a949108d9c3aaa1ed6bf69a7

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 11:38

Reported

2024-11-25 11:41

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

149s

Command Line

group.finish.index

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json N/A N/A
N/A /data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

group.finish.index

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 buralarnelernerelerhem.club udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json

MD5 c9551a9688b56dfb5563db0fb313a346
SHA1 3014ae052742bc195219ea7c9eaef7018496be4c
SHA256 5fa92ba0bc6344c852d7bdfe2b934fac8bf1252b6c96f7a0fd1b84ce158e58f3
SHA512 85cd42b4a04bbf2da38e6b9f74febabd965ebe74897bbacd72e68d5509d84c3b064e68840578dfa45ed74d3705503a5d81cea00e1eb0dd6b9ab3ae6adb375641

/data/user/0/group.finish.index/app_DynamicOptDex/PWOCbS.json

MD5 145268dbc6eaa50de1df4f9c41fb9c46
SHA1 4efbb3a97f6efa0b6c8e387d7f7a303a83017e4c
SHA256 c3b27dc580522a844764b5c98df311c53a25715f134148c0865d97e428aa38fc
SHA512 d7dd7c529e1a0b9812e1796704460ada699db83142cfdeb97bb93b4e05da2c063b4adfdcbd83d696f7158a6f7e5ab0a4b8c535b9e4dd93eac957835a53eaf5b4

/data/user/0/group.finish.index/app_DynamicOptDex/oat/PWOCbS.json.cur.prof

MD5 07471b3d40556c5d600eea8f1244c808
SHA1 6240c57f36ace60d964ea528bc408fd6a136e8d2
SHA256 1de034bb520ed92c1083e61747e1ea771d3e4d9ed09b9c856c32448c6529481d
SHA512 3073329c364aea87e757124820691c3344697eed4ce633f995987af877bcd7599075618e96bbbe1639f5a898eb81e560ed7e0f12e64b398787d178ded6ee4b37