Malware Analysis Report

2025-01-19 05:12

Sample ID 241216-2hyrdssrer
Target eb73dee8702ed7e3582e4d6ac3f47e74_JaffaCakes118
SHA256 29e4bdd32b7f308d1a138dcff54c30ac11aa5c178f6e19fe413c7999fdb120a9
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29e4bdd32b7f308d1a138dcff54c30ac11aa5c178f6e19fe413c7999fdb120a9

Threat Level: Known bad

The file eb73dee8702ed7e3582e4d6ac3f47e74_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus

Cerberus family

Alienbot family

Cerberus payload

Alienbot

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries account information for other applications stored on the device

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Acquires the wake lock

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 22:35

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x86-arm-20240910-en

Max time kernel

134s

Max time network

151s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

flock.trip.upper

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/flock.trip.upper/app_DynamicOptDex/oat/x86/wr.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.212.234:443 tcp

Files

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 7384c3b31af3fd7cb7380112b13d03bc
SHA1 a579a4612f420da799d0a9d7be97b8de5ee46254
SHA256 21ec493370877d6f37f90d8f9e3884471d8865fc2916169e081fb84659ff8e3d
SHA512 8e36f67b4bfe844e6af1e8156c5ab345b1c93649060b906416c4f93d9df8426e6641db8588c06816ba936205f0beb6fdde212415dc41b666c4de022a5da267dd

/data/data/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 0217d003c2d24f4798cdb7abc1055120
SHA1 e6e9a4f9d577cde74db6a0d696a2d6b95b6b477f
SHA256 6f29064cf00e6dcf10fd5b4847a569840c8ef16ab9fe81470fa5af74faeaf529
SHA512 123be6c79d21db9f9cb3efdb5decfdaf7d0132220c7461394e7d90429f729b44a9e707f7ea11b540d58a7e0b115213b0519d889c244093609de0921e708e4929

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

151s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

flock.trip.upper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.67.167.151:443 jsonplaceholder.typicode.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp

Files

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/data/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/data/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 4a6ad4ce7717d554d0d7c1b508ee7867
SHA1 9efc70cf74ad07456a34408ad64fa6b913821a00
SHA256 a99b336f1dbab34ec41d8f017d5a82bdd45d811f5d3f343413a66774a467ecd9
SHA512 71d64a48f995cf06ab68aea90f7218d883dd498911677924f6abd5bae23f847007799c632698446f4cfb0a841e53c36eb89f104e6346ce2e8aa7f0e7027b9ae3

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 22:35

Reported

2024-12-16 22:38

Platform

android-x64-arm64-20240910-en

Max time kernel

145s

Max time network

150s

Command Line

flock.trip.upper

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A
N/A /data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

flock.trip.upper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 104.21.59.19:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
DE 194.163.136.78:80 tcp
US 216.239.36.223:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp

Files

/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 c838317e3a64ab9be76c92ad3351bfe2
SHA1 d30d3e45ece87ffc65fe9bc965717aa7b7ed3211
SHA256 935a133607090b950afe950a3a8715c6fa6d7b4cddb789e4a6a331dfa2b866ca
SHA512 94e90cb7fefb6cef9f6c7b7450f3efe79ca26d0c85b4a22e6d4e28e31c295f118646ff3e8a1ea9f42d1e672aedcf20b339bfd0411848679f7865bca32126ee7b

/data/user/0/flock.trip.upper/app_DynamicOptDex/wr.json

MD5 4ecd31144926e22a143aea10ea36a045
SHA1 472512b071b5e9ab3fac8e603f6c891e56c77568
SHA256 4804a8c361bc4bac8c5dc7570eaecc28e1a6cc7cb98d8034214c94a071ae5bad
SHA512 1f07d948d8a3f348208e77e4421dd10cecbe995660bfcdf13d13ebd0f2960235cf19d986c12fcbc74c605054759626fa0d2c987004f99fcebec00dc47b1cd7a6

/data/user/0/flock.trip.upper/app_DynamicOptDex/oat/wr.json.cur.prof

MD5 75ccd3c1115233155bd5d7f6c714b0c2
SHA1 43c402561612eb625f80b7af85ec6887db4686c1
SHA256 02c62fe02fae56e27d90e0d8faa21f92995d3f6f976d45b5164f4d53cd131e94
SHA512 9426435553e051a04cfd297553bc4b7e7484167c2a4b7515629ce6f7c11bcefe6fb3be4e9194c6d4ba1880757e42999e6876e40735711b6abd02e715a1298708