Malware Analysis Report

2025-01-19 05:13

Sample ID 241206-cdjn8stqes
Target ca7aec7eacd0f2820c73bf0a9523a382_JaffaCakes118
SHA256 fb38636d1afb7c6df603ac4f441de7fd3d01c79c97577a5aca0afef8b2b8041b
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb38636d1afb7c6df603ac4f441de7fd3d01c79c97577a5aca0afef8b2b8041b

Threat Level: Known bad

The file ca7aec7eacd0f2820c73bf0a9523a382_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot family

Cerberus

Cerberus family

Cerberus payload

Alienbot

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Checks Android system properties for emulator presence.

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 01:57

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 01:57

Reported

2024-12-06 02:00

Platform

android-x64-arm64-20240624-en

Max time kernel

145s

Max time network

135s

Command Line

rival.draft.pupil

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

rival.draft.pupil

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 rareqtereqqer.sbs udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 372fe4205030dca83c8453cbc6633105
SHA1 18a41d36fd758d7bd2801ee23e64930d10303386
SHA256 29cec6cce0a502bc5a845616360f78af53bc0304b73a69f0fe848f1a685a4114
SHA512 5abd2caeaa1d77f38f3de0156d4e518082e5f4547e2349e63643e89252c60ac8904987836b73af4be41b5b18d5858da828a772c37fa404db610d190a5e244730

/data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 a1b9e4ea8a4cf58351b9f2871e4b1b74
SHA1 a4b02aced8993dbbafc61082fa64c58c21bc75df
SHA256 d1201aa63a020b6a9fdecb1c220653ebf6c7440d64bc113ec88c9885a3d6f979
SHA512 0286706372cc120cd2ba5e7509e439192f4e1699ab412c91c6b5677dd170c08253d88f6548fb23c2ffcc4ca924f405cf21c6d898eda93d87a6935557e26a761e

/data/user/0/rival.draft.pupil/app_DynamicOptDex/oat/jF.json.cur.prof

MD5 ec10176162a7aa491834914baa1bc463
SHA1 b85f1f45032b5902a4fb351cc2f5b712f1081e0c
SHA256 b7f8a29bdc3018a1d1c25dcdb8b59f06ab268a730263ddb73ee7fe3ae7f71877
SHA512 90be2deeade3fc816512d93f3b0f9495f142d79f7b7a20083819bf2048cef7e94fb10d6f180b32b307a8a85bad6916215222a4b99f19086ea9a48d3ad7e82ac9

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 01:57

Reported

2024-12-06 02:00

Platform

android-x86-arm-20240624-en

Max time kernel

139s

Max time network

137s

Command Line

rival.draft.pupil

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

rival.draft.pupil

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rival.draft.pupil/app_DynamicOptDex/oat/x86/jF.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 rareqtereqqer.sbs udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 372fe4205030dca83c8453cbc6633105
SHA1 18a41d36fd758d7bd2801ee23e64930d10303386
SHA256 29cec6cce0a502bc5a845616360f78af53bc0304b73a69f0fe848f1a685a4114
SHA512 5abd2caeaa1d77f38f3de0156d4e518082e5f4547e2349e63643e89252c60ac8904987836b73af4be41b5b18d5858da828a772c37fa404db610d190a5e244730

/data/data/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 a1b9e4ea8a4cf58351b9f2871e4b1b74
SHA1 a4b02aced8993dbbafc61082fa64c58c21bc75df
SHA256 d1201aa63a020b6a9fdecb1c220653ebf6c7440d64bc113ec88c9885a3d6f979
SHA512 0286706372cc120cd2ba5e7509e439192f4e1699ab412c91c6b5677dd170c08253d88f6548fb23c2ffcc4ca924f405cf21c6d898eda93d87a6935557e26a761e

/data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 431ce2bea7ebdc4ebfe84b81557a8b9c
SHA1 2321563c7a46eb36c39a9e4b54f50116a97f66c7
SHA256 7b89a8db5da49088f4d2b3e07cca851f266a39e1cb7850a856aa1eec0de1aecc
SHA512 3eb1f1b80091eb6f45bd90daa802a548240e6056c2cbd22aeb1b0ac172fa6f553baf41fc76e119fa72f8378e85ae92c6be38b6679303ebae60ccf469acd8b413

/data/data/rival.draft.pupil/app_DynamicOptDex/oat/jF.json.cur.prof

MD5 ffe2445029c5b005bfed67395e820cd2
SHA1 23ddf38a1c0bd5338eb63fd9e59f464f032175d6
SHA256 fbc256cf2958ef6a8e4615fd3fedc0e0b543a6723ad2a0960ecaa45309f0402c
SHA512 90fe74b57cba12702296ef1e817f9c6a82362e3c1c7dcd4e9a10d15eee230b4f3405c8f8eff2d6cd9166bf00ad5a5df5f9d9a2e0d5b267fee107894e1b8b2f4c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 01:57

Reported

2024-12-06 02:00

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

155s

Command Line

rival.draft.pupil

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A
N/A /data/user/0/rival.draft.pupil/app_DynamicOptDex/jF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

rival.draft.pupil

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 rareqtereqqer.sbs udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 372fe4205030dca83c8453cbc6633105
SHA1 18a41d36fd758d7bd2801ee23e64930d10303386
SHA256 29cec6cce0a502bc5a845616360f78af53bc0304b73a69f0fe848f1a685a4114
SHA512 5abd2caeaa1d77f38f3de0156d4e518082e5f4547e2349e63643e89252c60ac8904987836b73af4be41b5b18d5858da828a772c37fa404db610d190a5e244730

/data/data/rival.draft.pupil/app_DynamicOptDex/jF.json

MD5 a1b9e4ea8a4cf58351b9f2871e4b1b74
SHA1 a4b02aced8993dbbafc61082fa64c58c21bc75df
SHA256 d1201aa63a020b6a9fdecb1c220653ebf6c7440d64bc113ec88c9885a3d6f979
SHA512 0286706372cc120cd2ba5e7509e439192f4e1699ab412c91c6b5677dd170c08253d88f6548fb23c2ffcc4ca924f405cf21c6d898eda93d87a6935557e26a761e

/data/data/rival.draft.pupil/app_DynamicOptDex/oat/jF.json.cur.prof

MD5 7cc11b03992486a4b65bc8c12cc6c2ad
SHA1 3c8e733714d84dba85c2e91b8aab2dc1b4658e4d
SHA256 55e0dca78d14fd1be6d7c6d99043900bc38883965dfe3d3482d2135f4032c02f
SHA512 c862538876c8594f4a5a2c8e00041df7ac8508581255100671f1c221746005f30d7761762762ed2e8aee15f61603f559eeb4d035c75b9f020c3c3e27d4ccdf9a