Malware Analysis Report

2025-01-19 05:13

Sample ID 241127-11sgnaspev
Target 41b9a5f1a347465d4471f89f37c621d4946266c113a20411eac49c915522e5f4.bin
SHA256 41b9a5f1a347465d4471f89f37c621d4946266c113a20411eac49c915522e5f4
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41b9a5f1a347465d4471f89f37c621d4946266c113a20411eac49c915522e5f4

Threat Level: Known bad

The file 41b9a5f1a347465d4471f89f37c621d4946266c113a20411eac49c915522e5f4.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot

Cerberus

Cerberus family

Alienbot family

Cerberus payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Checks Android system properties for emulator presence.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 22:07

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 22:07

Reported

2024-11-27 22:10

Platform

android-x86-arm-20240624-en

Max time kernel

141s

Max time network

130s

Command Line

com.domain.special

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.domain.special/app_DynamicOptDex/jw.json N/A N/A
N/A /data/user/0/com.domain.special/app_DynamicOptDex/jw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.domain.special

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.domain.special/app_DynamicOptDex/jw.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.domain.special/app_DynamicOptDex/oat/x86/jw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ramosahneleri.net udp

Files

/data/data/com.domain.special/app_DynamicOptDex/jw.json

MD5 639ab35f9f51613dc40a3cddbd33cc33
SHA1 a4b686bedd74a9a4ef047bd01ac39ff711a03ac5
SHA256 d98a7d51bafd8fca2ee9de5bb54e1c6d62aa88db82148761b20c569ee225c198
SHA512 905a8b8718aad01bc3635e5a06a5fa5a9b7a250f25bd8a592f0267dd68534d89d5b934df13f48236caa418bffdb5c534c992f65813ec23d804b1779c2f24c424

/data/data/com.domain.special/app_DynamicOptDex/jw.json

MD5 d9416c04bd2c971c54649226a24e3eab
SHA1 e44835cb24a18f2f5cf2a947f426f3134ce679b8
SHA256 e161058d3335fe864e11a7d6a7a1b2688bb54bc4f0e0a109a244973f7cfd612f
SHA512 5ab61d8d0f9f17317f3414cf3c46e60e4d5972663d43abab7745c6c3f6dfb3a4e932d6281fa9814ddc04f98f80486a0f536cc2d8091dcc05f8eaaab1507e197a

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 eca424e286f028877957a7b6b2ed6f55
SHA1 622183dc855c84a0b564aeb98fd36ea7a4c1cdf5
SHA256 8a3124b5fbec659ad22af414838fa2f3cc5917dcb2ee08764b4f20c105199b83
SHA512 322a02fb94951a1c6f17f6f0169f2643f7de758ceb7c3e758488007a0ec3a980735e0496de12471e924133948151ae9d4d5c282084a71050934939d52dd440df

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 9e36942982a565b579e639e7196cce75
SHA1 c38dcdc337e8ecea4b97c05d16798f085c447294
SHA256 387733008456aeb93731ce94f460612a4eacec3ec827c33dba872eabec6cc60b
SHA512 f57122cec19091940672f36fb5ff09fef58e194ddd6e83f41e34b2af4959f67a3189a762ea9f3005a20cbfd46e14fa7d2ba88ef09f65d8e7a8b589c58c7a6882

/data/data/com.domain.special/app_DynamicOptDex/oat/jw.json.cur.prof

MD5 e3fbd932a8fb6b1c1ef6a63d6d398a8d
SHA1 a318196a10a2cdbe1a1fd647f09249061f187e7d
SHA256 301ad441513b87cedf9e1721f11a1d480c686dc6ac5d6199178dc159f3f820e5
SHA512 feb4012f811cde77a32c65ae30bf0437148a18ddc2849f9b7fac37eadf9b8a372e764f767b8f55d93996768d3b679eba4a62a53c84f7e5b4292212c9417f2562

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 22:07

Reported

2024-11-27 22:09

Platform

android-x64-20240910-en

Max time kernel

132s

Max time network

150s

Command Line

com.domain.special

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.domain.special/app_DynamicOptDex/jw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.domain.special

Network

Country Destination Domain Proto
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ramosahneleri.net udp

Files

/data/data/com.domain.special/app_DynamicOptDex/jw.json

MD5 639ab35f9f51613dc40a3cddbd33cc33
SHA1 a4b686bedd74a9a4ef047bd01ac39ff711a03ac5
SHA256 d98a7d51bafd8fca2ee9de5bb54e1c6d62aa88db82148761b20c569ee225c198
SHA512 905a8b8718aad01bc3635e5a06a5fa5a9b7a250f25bd8a592f0267dd68534d89d5b934df13f48236caa418bffdb5c534c992f65813ec23d804b1779c2f24c424

/data/data/com.domain.special/app_DynamicOptDex/jw.json

MD5 d9416c04bd2c971c54649226a24e3eab
SHA1 e44835cb24a18f2f5cf2a947f426f3134ce679b8
SHA256 e161058d3335fe864e11a7d6a7a1b2688bb54bc4f0e0a109a244973f7cfd612f
SHA512 5ab61d8d0f9f17317f3414cf3c46e60e4d5972663d43abab7745c6c3f6dfb3a4e932d6281fa9814ddc04f98f80486a0f536cc2d8091dcc05f8eaaab1507e197a

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 eca424e286f028877957a7b6b2ed6f55
SHA1 622183dc855c84a0b564aeb98fd36ea7a4c1cdf5
SHA256 8a3124b5fbec659ad22af414838fa2f3cc5917dcb2ee08764b4f20c105199b83
SHA512 322a02fb94951a1c6f17f6f0169f2643f7de758ceb7c3e758488007a0ec3a980735e0496de12471e924133948151ae9d4d5c282084a71050934939d52dd440df

/data/data/com.domain.special/app_DynamicOptDex/oat/jw.json.cur.prof

MD5 3ad4077df7d267af9ff0898f934da23c
SHA1 9c634b7f9e53361302718fd70bbcaa26509b6a41
SHA256 14ca6cee4b3b35c07861261ac94907baffd9b3156105e642015501740462ed8d
SHA512 d6256c443c4e2b4bdd8147391e63612341545663e2e45c957777de2abd41e0c3a8618fb2a74730fd0f5350e5f01c216cf4a7926317f16dc85e8d9a9b8ad23644

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 22:07

Reported

2024-11-27 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

119s

Max time network

150s

Command Line

com.domain.special

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.domain.special/app_DynamicOptDex/jw.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.domain.special

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.110:443 android.apis.google.com tcp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ramosahneleri.net udp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 639ab35f9f51613dc40a3cddbd33cc33
SHA1 a4b686bedd74a9a4ef047bd01ac39ff711a03ac5
SHA256 d98a7d51bafd8fca2ee9de5bb54e1c6d62aa88db82148761b20c569ee225c198
SHA512 905a8b8718aad01bc3635e5a06a5fa5a9b7a250f25bd8a592f0267dd68534d89d5b934df13f48236caa418bffdb5c534c992f65813ec23d804b1779c2f24c424

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 d9416c04bd2c971c54649226a24e3eab
SHA1 e44835cb24a18f2f5cf2a947f426f3134ce679b8
SHA256 e161058d3335fe864e11a7d6a7a1b2688bb54bc4f0e0a109a244973f7cfd612f
SHA512 5ab61d8d0f9f17317f3414cf3c46e60e4d5972663d43abab7745c6c3f6dfb3a4e932d6281fa9814ddc04f98f80486a0f536cc2d8091dcc05f8eaaab1507e197a

/data/user/0/com.domain.special/app_DynamicOptDex/jw.json

MD5 eca424e286f028877957a7b6b2ed6f55
SHA1 622183dc855c84a0b564aeb98fd36ea7a4c1cdf5
SHA256 8a3124b5fbec659ad22af414838fa2f3cc5917dcb2ee08764b4f20c105199b83
SHA512 322a02fb94951a1c6f17f6f0169f2643f7de758ceb7c3e758488007a0ec3a980735e0496de12471e924133948151ae9d4d5c282084a71050934939d52dd440df