Malware Analysis Report

2025-01-19 05:13

Sample ID 241126-p7zc1askes
Target a2112d3c6b589061b7c97fc2df9ee154_JaffaCakes118
SHA256 8f408002a2c7305f6eff6b076043660b1fc29e7dc265a9fff0421a86081b987a
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f408002a2c7305f6eff6b076043660b1fc29e7dc265a9fff0421a86081b987a

Threat Level: Known bad

The file a2112d3c6b589061b7c97fc2df9ee154_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus

Alienbot

Cerberus family

Cerberus payload

Alienbot family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Checks Android system properties for emulator presence.

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 12:58

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 12:58

Reported

2024-11-26 13:01

Platform

android-x86-arm-20240624-en

Max time kernel

141s

Max time network

147s

Command Line

involve.what.draw

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

involve.what.draw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/involve.what.draw/app_DynamicOptDex/oat/x86/QPI.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp

Files

/data/data/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 6d1e85f28a94032f4636fa077efc9228
SHA1 5ecc78d09547f6ecb7dc3bbcf981c73364bdfcb1
SHA256 bf91bbf1ae0b91482f6815ea67447f68bd4d93a23ac36d7cb8e4c68bb086890c
SHA512 7810cc1875db0f214efeee80885ae197e3ec18974e680df6c4f306977664cbb4a505c1a5888c10c5be0747579d6028ca36078bca8c73c7fd25e636e81427be8c

/data/data/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 4c087c1b4143eb14c750c1d042ee298c
SHA1 f994f56d7d3cbe5533f9172a6bc6abbec2f8292b
SHA256 694ed4dce22a28358dd773c56472283c7dd20a26dfd0958e558a945690608103
SHA512 f1df38bfa45996411ab14f32a428fc84008af6e3ff4b0ac4aa26a041f5b681576360eec87520cee4534a5154c75b0cd9173c197c89fad1e6f69dfedf22f3e829

/data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 8c6b2b80c67b714173e5319dceef5d1c
SHA1 4be267e35da92f5f8013864387fa46bc4a7120d3
SHA256 cb40d6f36ada89e93625d4483422ecad2a21328a576e326a45b9b8815963bd9e
SHA512 26c295c5c5b5accdb3f6ac94fb5dd93d7f783401bfb37bd7cc702278542b6a75ac732cdeea011883f28779251fd074ead7c837b70e1f7b3e45538ac5a6716992

/data/data/involve.what.draw/app_DynamicOptDex/oat/QPI.json.cur.prof

MD5 3934602045e39fb70afbe3fc12e546b8
SHA1 5b797a63f6cdeb6e69ee431508286ad756c01c53
SHA256 8d610bbd318fa038751b0363da4fc6f40cc068baaf3622ba904ff1a0d1c5b099
SHA512 1c97dd19c3f1d8f6a94671d146c228cbc69a755a704a09d4b93cb3750e2798acc801071f57add5167a9f0c458b56d714b13035b3d3544eb5399aebf351b65643

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 12:58

Reported

2024-11-26 13:01

Platform

android-x64-20240624-en

Max time kernel

144s

Max time network

153s

Command Line

involve.what.draw

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

involve.what.draw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
DE 194.163.136.78:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
DE 194.163.136.78:80 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp

Files

/data/data/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 6d1e85f28a94032f4636fa077efc9228
SHA1 5ecc78d09547f6ecb7dc3bbcf981c73364bdfcb1
SHA256 bf91bbf1ae0b91482f6815ea67447f68bd4d93a23ac36d7cb8e4c68bb086890c
SHA512 7810cc1875db0f214efeee80885ae197e3ec18974e680df6c4f306977664cbb4a505c1a5888c10c5be0747579d6028ca36078bca8c73c7fd25e636e81427be8c

/data/data/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 4c087c1b4143eb14c750c1d042ee298c
SHA1 f994f56d7d3cbe5533f9172a6bc6abbec2f8292b
SHA256 694ed4dce22a28358dd773c56472283c7dd20a26dfd0958e558a945690608103
SHA512 f1df38bfa45996411ab14f32a428fc84008af6e3ff4b0ac4aa26a041f5b681576360eec87520cee4534a5154c75b0cd9173c197c89fad1e6f69dfedf22f3e829

/data/data/involve.what.draw/app_DynamicOptDex/oat/QPI.json.cur.prof

MD5 ee3348d49364e1e91c18b13085b1fd63
SHA1 159494bf613c3c4f93ed5fe35942e3860c69e37f
SHA256 890f07f6d12c8543966c5c1cdb381f269e7ed1cc40ff9b06c162ec21f1673402
SHA512 c28c7705d44dcb4dd4e67c1198926cfe6d18090cc6741b1aecbe83cc6a80403c5ae15d1ce57bab61af977c30f8571d77330bf14821b70fb7cf130ba38d105f0c

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 12:58

Reported

2024-11-26 13:01

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

149s

Command Line

involve.what.draw

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A
N/A /data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

involve.what.draw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
DE 194.163.136.78:80 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp

Files

/data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 6d1e85f28a94032f4636fa077efc9228
SHA1 5ecc78d09547f6ecb7dc3bbcf981c73364bdfcb1
SHA256 bf91bbf1ae0b91482f6815ea67447f68bd4d93a23ac36d7cb8e4c68bb086890c
SHA512 7810cc1875db0f214efeee80885ae197e3ec18974e680df6c4f306977664cbb4a505c1a5888c10c5be0747579d6028ca36078bca8c73c7fd25e636e81427be8c

/data/user/0/involve.what.draw/app_DynamicOptDex/QPI.json

MD5 4c087c1b4143eb14c750c1d042ee298c
SHA1 f994f56d7d3cbe5533f9172a6bc6abbec2f8292b
SHA256 694ed4dce22a28358dd773c56472283c7dd20a26dfd0958e558a945690608103
SHA512 f1df38bfa45996411ab14f32a428fc84008af6e3ff4b0ac4aa26a041f5b681576360eec87520cee4534a5154c75b0cd9173c197c89fad1e6f69dfedf22f3e829

/data/user/0/involve.what.draw/app_DynamicOptDex/oat/QPI.json.cur.prof

MD5 09d2912dd6030c7516734a85c547b3dd
SHA1 76607b9ceec751723d07b95e17eb6634fd1b6e0b
SHA256 098c76b40065eea3d4eeb1f664b3b9b23dacc6b273f54e1bb3ec92629bd2634d
SHA512 1e02f051e368aceaaafc988718768f113a31cafbb56356f453bbea23ad97a6404a52c1840435bdadd31cb27481d379ec279eee2ea3f33dfd9b7eaf62bbe4a31c