Malware Analysis Report

2025-01-19 05:13

Sample ID 241127-cm7ses1pdt
Target a55df1afefc9562dca22c6befa00003b_JaffaCakes118
SHA256 8d4ba01befd0bb33459d7232c376cfb036c68857433ecc05a3f127b8edd64a66
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d4ba01befd0bb33459d7232c376cfb036c68857433ecc05a3f127b8edd64a66

Threat Level: Known bad

The file a55df1afefc9562dca22c6befa00003b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot family

Cerberus family

Cerberus payload

Cerberus

Alienbot

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 02:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 02:12

Reported

2024-11-27 02:15

Platform

android-x64-arm64-20240624-en

Max time kernel

143s

Max time network

134s

Command Line

sketch.arrange.wagon

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

sketch.arrange.wagon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 buralarneler.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 7d6265aefe05d8a8c3e4cee8c85c66a3
SHA1 42ee9332f80d4ac52382e9e7e273bb06e0abc6d3
SHA256 3efaccb2cba254ed20a5644e5929252d61be1f172cf04f531d11721214c81863
SHA512 b827b9d6a3322f6c73dea80d64283f49f016f65267ca9e57a1195e73ef660699ef81303ebff29e6b8ddc65c8131e228927fdee95158a0fa1c340b9d7b1aafca2

/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 f8ed9b84f80bed871507a3f3868b18a6
SHA1 b0d7584fdc183695f61663fd81a4ec94f03bfb76
SHA256 231bb51310a9285f5d1e480eae6e9627a35c8710b4955dad01a2d0c675f7a8a2
SHA512 23b3d2962ec9d2139c4556599b0f61395f8de96dea4786b6cae2635a6014f48eaeb2392822bb7e8ba7c307e4f0cde396767b7caa0898aa369a946a66944fd4e0

/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/oat/tElQ.json.cur.prof

MD5 3d7d52e879a29476a6f8b51732b64e51
SHA1 02898fba38dd6419fb5671805c7be15f0c2ccced
SHA256 a1290a7178c982067b922361aa43ef24c897552888da81fd4c505f87feb2c10d
SHA512 63b055953e3debd74f99f2f9c2cdda1cbe1f26bfe514f860c369580d90c6ccae0960cf1ff4eac2540b93a11a58f94bd50b44f535691374f8d1972cffe1c424c1

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 02:12

Reported

2024-11-27 02:15

Platform

android-x86-arm-20240624-en

Max time kernel

141s

Max time network

131s

Command Line

sketch.arrange.wagon

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

sketch.arrange.wagon

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/oat/x86/tElQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 buralarneler.com udp

Files

/data/data/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 7d6265aefe05d8a8c3e4cee8c85c66a3
SHA1 42ee9332f80d4ac52382e9e7e273bb06e0abc6d3
SHA256 3efaccb2cba254ed20a5644e5929252d61be1f172cf04f531d11721214c81863
SHA512 b827b9d6a3322f6c73dea80d64283f49f016f65267ca9e57a1195e73ef660699ef81303ebff29e6b8ddc65c8131e228927fdee95158a0fa1c340b9d7b1aafca2

/data/data/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 f8ed9b84f80bed871507a3f3868b18a6
SHA1 b0d7584fdc183695f61663fd81a4ec94f03bfb76
SHA256 231bb51310a9285f5d1e480eae6e9627a35c8710b4955dad01a2d0c675f7a8a2
SHA512 23b3d2962ec9d2139c4556599b0f61395f8de96dea4786b6cae2635a6014f48eaeb2392822bb7e8ba7c307e4f0cde396767b7caa0898aa369a946a66944fd4e0

/data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 82122c210612b98b05a657ea5506bd68
SHA1 f50311acba07778954a9f487262437ad0f6a6ec7
SHA256 fd7c13f068e130ca0e06cf9160012bbeb9c7516823df15a8bed8cb03354dda63
SHA512 16723bf725cd3e18e59c7e3016cd595586a86c3c26c5c0b38bf720e2b9b27f6188ea1ff58c08f22109962edd28defbc218e8af9a9bd1ca8db4b82faf881a83fc

/data/data/sketch.arrange.wagon/app_DynamicOptDex/oat/tElQ.json.cur.prof

MD5 0c932ea0c50d2b1fa7a7562fa1dec00f
SHA1 7f860d9a68d860ff4436709d236893241bac040c
SHA256 ee47f8b531f1f07f92941800bb6102709ba8e052e05ae4b5aa3ddc90c89431dc
SHA512 6662e55c39eff9031b828f05e1276954bd5eeb25613d3bdba85de644e91adc48e23f091f732a9dd1c122d67159c4d94fd9b65ce4c4f4112454b377c6008a5e0a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 02:12

Reported

2024-11-27 02:15

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

131s

Command Line

sketch.arrange.wagon

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A
N/A /data/user/0/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

sketch.arrange.wagon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 buralarneler.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 7d6265aefe05d8a8c3e4cee8c85c66a3
SHA1 42ee9332f80d4ac52382e9e7e273bb06e0abc6d3
SHA256 3efaccb2cba254ed20a5644e5929252d61be1f172cf04f531d11721214c81863
SHA512 b827b9d6a3322f6c73dea80d64283f49f016f65267ca9e57a1195e73ef660699ef81303ebff29e6b8ddc65c8131e228927fdee95158a0fa1c340b9d7b1aafca2

/data/data/sketch.arrange.wagon/app_DynamicOptDex/tElQ.json

MD5 f8ed9b84f80bed871507a3f3868b18a6
SHA1 b0d7584fdc183695f61663fd81a4ec94f03bfb76
SHA256 231bb51310a9285f5d1e480eae6e9627a35c8710b4955dad01a2d0c675f7a8a2
SHA512 23b3d2962ec9d2139c4556599b0f61395f8de96dea4786b6cae2635a6014f48eaeb2392822bb7e8ba7c307e4f0cde396767b7caa0898aa369a946a66944fd4e0

/data/data/sketch.arrange.wagon/app_DynamicOptDex/oat/tElQ.json.cur.prof

MD5 1413282e171b01aa034f1ddfa4a8b917
SHA1 4693cd412307bf87842aad27a571c497bf115970
SHA256 096cdff49337a024ccfad671f31752226c1590203f6d8f2dbedbd74b4aa2fe50
SHA512 eacbb014c4ac25d0c8cf53ffda1018402fa05cfa3aac7eee4fae28224fe18ecf6e945098189d24f279cf11c54d4901d6472becc2c3e614de5ebb24b5c7108e7e