Malware Analysis Report

2025-01-19 05:13

Sample ID 241208-rqmzrawlcz
Target d780257e0bb666be027137b631af1c12_JaffaCakes118
SHA256 617ec2c8e213b27bee59716033fe62074986872d31c30376dceb7e737e3533f6
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

617ec2c8e213b27bee59716033fe62074986872d31c30376dceb7e737e3533f6

Threat Level: Known bad

The file d780257e0bb666be027137b631af1c12_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus family

Cerberus

Alienbot

Cerberus payload

Alienbot family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-08 14:23

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-08 14:23

Reported

2024-12-08 14:26

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

131s

Command Line

celery.roast.lawn

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

celery.roast.lawn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 fd1c11559069001113f00baf3b81717b
SHA1 6834680054e2ee069be932b5eec33c469519f93a
SHA256 b8228ec2ce0101f67710a73cb627a9a91c287626fd014f5aad787f7d8cdd0aa0
SHA512 5db6210662f3cfcd7f3a129de9089c9cd9e86478ec557d48eae4eae8d6ff7f830cc2813199336be9edc3c09f9e2c003b85d5674bbd6a4443a5378abfea03160c

/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 142b5cd973e8a5b0d4201c58f9918c1e
SHA1 5c91a1f3ed47a4d725213e7cf81ee5438a9766a3
SHA256 cd7bf34bc3afc3e969f844ba7bd3a4b1ee259c6c748e9e3777efb4cd9996b91c
SHA512 7ea4ea6cd28b6c4805ae338f2bf7f35899a8ffabf1564a5612b615600bc41ed1a8c2866365c32f58d07fd2b9a2b2538610654bace271c666a2f4044a7c1c122a

/data/data/celery.roast.lawn/app_DynamicOptDex/oat/NoT.json.cur.prof

MD5 22544f9ba0aba95aa2476966814419e2
SHA1 baca2cc1b1f19b574c233f8693b9472869ce480d
SHA256 e99ed616f9b1b4a6104c1efe1f364b7f942c42fd5580952acb927942639212b5
SHA512 851dc9c8e857943def843affdac30fa4ace4848e7c7cc78a39a0f4499f21f5cd17932aaf172270f4fb8b60f2468f4e7a7b607398f7bba592f274b8995f110ee7

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-08 14:23

Reported

2024-12-08 14:26

Platform

android-x64-arm64-20240624-en

Max time kernel

145s

Max time network

136s

Command Line

celery.roast.lawn

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

celery.roast.lawn

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 fd1c11559069001113f00baf3b81717b
SHA1 6834680054e2ee069be932b5eec33c469519f93a
SHA256 b8228ec2ce0101f67710a73cb627a9a91c287626fd014f5aad787f7d8cdd0aa0
SHA512 5db6210662f3cfcd7f3a129de9089c9cd9e86478ec557d48eae4eae8d6ff7f830cc2813199336be9edc3c09f9e2c003b85d5674bbd6a4443a5378abfea03160c

/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 142b5cd973e8a5b0d4201c58f9918c1e
SHA1 5c91a1f3ed47a4d725213e7cf81ee5438a9766a3
SHA256 cd7bf34bc3afc3e969f844ba7bd3a4b1ee259c6c748e9e3777efb4cd9996b91c
SHA512 7ea4ea6cd28b6c4805ae338f2bf7f35899a8ffabf1564a5612b615600bc41ed1a8c2866365c32f58d07fd2b9a2b2538610654bace271c666a2f4044a7c1c122a

/data/user/0/celery.roast.lawn/app_DynamicOptDex/oat/NoT.json.cur.prof

MD5 a350ec6293d05524b28cb705389bc90a
SHA1 ba24ac5dabbb1ac5e03a488fccc7385476895607
SHA256 d4c0dd1a0a9e183e8753ee23594a846e7cd2c8e695921c89aaf1c70186353a55
SHA512 091ab51d375c8ce62bdb743d50712a1b4f7d83db5734deca82fba8ec3e0a7a7299b46eb0a17b563bd981716ecfe07f1a202dad2ae4d2d8458e15cf9517ff84b9

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-08 14:23

Reported

2024-12-08 14:26

Platform

android-x86-arm-20240624-en

Max time kernel

139s

Max time network

131s

Command Line

celery.roast.lawn

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A
N/A /data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

celery.roast.lawn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/celery.roast.lawn/app_DynamicOptDex/oat/x86/NoT.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 fd1c11559069001113f00baf3b81717b
SHA1 6834680054e2ee069be932b5eec33c469519f93a
SHA256 b8228ec2ce0101f67710a73cb627a9a91c287626fd014f5aad787f7d8cdd0aa0
SHA512 5db6210662f3cfcd7f3a129de9089c9cd9e86478ec557d48eae4eae8d6ff7f830cc2813199336be9edc3c09f9e2c003b85d5674bbd6a4443a5378abfea03160c

/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 142b5cd973e8a5b0d4201c58f9918c1e
SHA1 5c91a1f3ed47a4d725213e7cf81ee5438a9766a3
SHA256 cd7bf34bc3afc3e969f844ba7bd3a4b1ee259c6c748e9e3777efb4cd9996b91c
SHA512 7ea4ea6cd28b6c4805ae338f2bf7f35899a8ffabf1564a5612b615600bc41ed1a8c2866365c32f58d07fd2b9a2b2538610654bace271c666a2f4044a7c1c122a

/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json

MD5 7d243ef4a4d967feacd8852631716d7f
SHA1 55ad07dac2abe32dcee1311b6e4eded86dceb2d5
SHA256 312df14edd3ee172426f5eeec16963eaf63573432a5569e65fe6d38e74a63932
SHA512 e3e90bea960e39dff70fc7d8bfacbd35866ef7ac6e3482c172aae665ab765167fbb90d9e9214a69138e2835c9bc299aebdd496cd6d4f913dd8536ed680aaffe7

/data/data/celery.roast.lawn/app_DynamicOptDex/oat/NoT.json.cur.prof

MD5 be43baf490e69f766d7ad9e2b536a21c
SHA1 e0c11158121b8489ace8047e8a2b99a9e55bbde3
SHA256 65cf37b61552e500b4869ffd4839a76e1db9870d37c828b69788902299afcf65
SHA512 09080dd7b571118c3a32972cfd757cd18d8e79204c4632f80f6223113454a657ff0e8be85664e83c4b06a019c99e8eff61edbce385534a8599833d9c905b6007