Malware Analysis Report

2025-01-19 05:13

Sample ID 241204-11f4matmds
Target 0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.bin
SHA256 0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73

Threat Level: Known bad

The file 0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot family

Alienbot

Cerberus

Cerberus payload

Cerberus family

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 22:06

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 22:06

Reported

2024-12-04 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

146s

Max time network

152s

Command Line

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/oat/x86/jeSk.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 servicesc.xyz udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp

Files

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 a974446e49181fbf30c4614737abc596
SHA1 42a9e894f2652854067d90ddaa3adafee7967dc7
SHA256 3687b59d4b8a3ecaa164f5f04301303ce0192fdc2c296df20b3dc209cc3d2776
SHA512 dfa34829c2271969d7ae9a9ea67371abac312fc0db6518b43b2ff69dc8aa3c1532f2f0d3e51c130699301be6c28b363a4f1f11f040d3f1e27ed1ef194d11e060

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 076e71f327de667a8c616f0ad4dae1ba
SHA1 171b0aaab6aa53e564c5328ee1af5fb416327399
SHA256 83c6d3e8bef45f67a9dcdc5f648cea621fb08d45da0421fbb383b14187cc1042
SHA512 0f2ddab6850803912b2c05fb960e8d8e5c2effc047321e28e54bef6194750be8625c0670fbd48c83ca03e901cb35a0bb200d19b199a64206ee7383d09613ff0a

/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 3cfd841eac1058a4c2df47a1c435d569
SHA1 3f1218886b299865b2771268aa94912081d94dc2
SHA256 88ef3054f5630599b9753e4bbcdc53c93994ed359d4b0927e4af4fc80b3a43bb
SHA512 d5cde63c63ff22b57207715d1b116bb88a2c6cfb212da8a0fdcee047919d0607a75c2ef5ea03f9368c0b82082ab889f261d515e87aa2401c9cf1eefd92abeb25

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/oat/jeSk.json.cur.prof

MD5 a24b251172c427a236368a29223ff62f
SHA1 5bced4e7fad539fb66c328d27e7b444f316e916b
SHA256 75864c71741705c1183f964acc1a4153f336c8ab6c91b83c10f7b8b778204379
SHA512 5644b87f4bf6a3eebeb611760b79ddc1edf045ef73c0cbfebe023d1ad296dfaab8ee432dee8aa004545a988a16c9fc2f97239dc9b01328f29278c15f647dc26b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 22:06

Reported

2024-12-04 22:09

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

156s

Command Line

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 servicesc.xyz udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp

Files

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 a974446e49181fbf30c4614737abc596
SHA1 42a9e894f2652854067d90ddaa3adafee7967dc7
SHA256 3687b59d4b8a3ecaa164f5f04301303ce0192fdc2c296df20b3dc209cc3d2776
SHA512 dfa34829c2271969d7ae9a9ea67371abac312fc0db6518b43b2ff69dc8aa3c1532f2f0d3e51c130699301be6c28b363a4f1f11f040d3f1e27ed1ef194d11e060

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 076e71f327de667a8c616f0ad4dae1ba
SHA1 171b0aaab6aa53e564c5328ee1af5fb416327399
SHA256 83c6d3e8bef45f67a9dcdc5f648cea621fb08d45da0421fbb383b14187cc1042
SHA512 0f2ddab6850803912b2c05fb960e8d8e5c2effc047321e28e54bef6194750be8625c0670fbd48c83ca03e901cb35a0bb200d19b199a64206ee7383d09613ff0a

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/oat/jeSk.json.cur.prof

MD5 0684c2b92ec9f3b3bbb6e8d249cc0968
SHA1 4db21b52e6aca05113cf871dba93392bfd19d2ab
SHA256 1669a85385fce88f5f27c39ef9df853119f13b8e31b10dfbacd33cedf185de58
SHA512 dd7c5b46dc812d2eda0e16dde8721a769b620aaa6e89d7f67ada32b2ce7cf34f3ceae83d36631d18768317764ce7a824c0988968b992813898eab388aa2ba331

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 22:06

Reported

2024-12-04 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

138s

Max time network

154s

Command Line

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A
N/A /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 servicesc.xyz udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 a974446e49181fbf30c4614737abc596
SHA1 42a9e894f2652854067d90ddaa3adafee7967dc7
SHA256 3687b59d4b8a3ecaa164f5f04301303ce0192fdc2c296df20b3dc209cc3d2776
SHA512 dfa34829c2271969d7ae9a9ea67371abac312fc0db6518b43b2ff69dc8aa3c1532f2f0d3e51c130699301be6c28b363a4f1f11f040d3f1e27ed1ef194d11e060

/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

MD5 076e71f327de667a8c616f0ad4dae1ba
SHA1 171b0aaab6aa53e564c5328ee1af5fb416327399
SHA256 83c6d3e8bef45f67a9dcdc5f648cea621fb08d45da0421fbb383b14187cc1042
SHA512 0f2ddab6850803912b2c05fb960e8d8e5c2effc047321e28e54bef6194750be8625c0670fbd48c83ca03e901cb35a0bb200d19b199a64206ee7383d09613ff0a

/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/oat/jeSk.json.cur.prof

MD5 c7b038a936ca29457011af5a9546b305
SHA1 7aeafa9b670a7465fe82e6f9cef7913dbda8d5a7
SHA256 7cd89310143e151de94bc850120fafbbfd1514a073e760d59748890a4e35441d
SHA512 d868b0253436719a0fb18df3fd4f67c3ccd741bf1bd084b868642d44ac9a80aee9f46b82f2f49fe30011c96ac494def784ba6fa1ccac608e8ce08e42aeb1fc55