Malware Analysis Report

2025-01-19 05:12

Sample ID 241213-pd9xmsxrcs
Target eb73dee8702ed7e3582e4d6ac3f47e74_JaffaCakes118
SHA256 29e4bdd32b7f308d1a138dcff54c30ac11aa5c178f6e19fe413c7999fdb120a9
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29e4bdd32b7f308d1a138dcff54c30ac11aa5c178f6e19fe413c7999fdb120a9

Threat Level: Known bad

The file eb73dee8702ed7e3582e4d6ac3f47e74_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot

Cerberus

Alienbot family

Cerberus payload

Cerberus family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries account information for other applications stored on the device

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 12:14

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 12:13

Reported

2024-12-13 12:16

Platform

android-x64-20240910-en

Max time kernel

132s

Max time network

151s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

flock.trip.upper

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
DE 194.163.136.78:80 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp

Files

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/data/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 327325d0b4475e87ac16da2dba1dfd28
SHA1 fadb814bc22c5ed05fb04a4333db93bfc61f1a17
SHA256 d0de8f11a85195c9fe1fb05af3cdb3b277e3b7ca859e62c73c08573dc9be6880
SHA512 03f15858d9b976a0b06cbc4116f32b6e4fef6d3cc299858154304282e2d2956b701b5f77deac17b8a81feb676b566b2a8b405fb3c940476bab33e214e6a227d4

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-13 12:13

Reported

2024-12-13 12:16

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

flock.trip.upper

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/user/0/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 923f3a8971976b388c5e3bb82f998f60
SHA1 a6cafd192eb1d79d437a88abe8856e3fd0cb4c9a
SHA256 89c58cf0a64b1aa437f7626b9fb9c7712321888f11745d72644f0b443a39c697
SHA512 7af814a95a02be99dbd9aa4445865aa7af4a16c880b91995e5204e1a895863dc981eee993d521bcbe8ffef382e03117ba50d18155ac1fc4e7d18d775041c8d26

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 12:13

Reported

2024-12-13 12:16

Platform

android-x86-arm-20240910-en

Max time kernel

140s

Max time network

151s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

flock.trip.upper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/data/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 6698542e038967c126cd5304edb6b6b4
SHA1 c74c0cfa9883fe99c6d79ac00cc5bb91b13492f4
SHA256 e397dbb9c56e341f36d10dd7f8e4fe339fe6bd6222283b5352e06afbe9085666
SHA512 3ce6fbaf0cfccf2a9a9652c734fb13629ea04c10e135981e4f5478416b733660565b3129b437e6263e20a3edfc851543cb400638a6b94ee2e593b10bcd3e549b