Malware Analysis Report

2025-01-19 05:12

Sample ID 241221-1xz3bs1nbj
Target ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.bin
SHA256 ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58

Threat Level: Known bad

The file ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Cerberus

Alienbot family

Alienbot

Cerberus payload

Cerberus family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 22:02

Reported

2024-12-21 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

134s

Max time network

154s

Command Line

com.ucuadqxoj

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ucuadqxoj/cache/payload.jar N/A N/A
N/A /data/user/0/com.ucuadqxoj/cache/payload.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ucuadqxoj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ucuadqxoj/cache/payload.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ucuadqxoj/cache/oat/x86/payload.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
RU 217.8.117.104:80 tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
GB 142.250.178.4:80 tcp
GB 142.250.200.35:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.ucuadqxoj/cache/payload.jar

MD5 2c71af739b725732bc7409da870f1b01
SHA1 65122134f0af886a0cba79388494fa69fb89015b
SHA256 db9f83468daf09f671b75412b0f380c044000677e1c096ef9514e33e8c1c238d
SHA512 f25cfd7aa47994715d0b6efa23882b4c89c87b5ff4bb2ac566d139b6b6e8ddbbefc57a8a1dbc802061a404d965fd1977f83fbaddd5cc87a5dd811e743c46a3df

/data/user/0/com.ucuadqxoj/cache/payload.jar

MD5 e509eeb11454e83ef776251a753488c4
SHA1 76b5813d03e27a8f8746ee9694774dfd7768aa4e
SHA256 f1e98d8910917f15db1c5780fdd082ce27a7ecce40f363ecd07d0f8091332b77
SHA512 b9e4d4972f717f155e92f1431c61c3d4b627ed996470d158a5ea1b6ebe23f84a3a44da73c53f70ae13f255e1263f1741628976c5e877727f25556d95dc58c7d1

/data/user/0/com.ucuadqxoj/cache/payload.jar

MD5 a80b292df3ef1721270c3064a667bedb
SHA1 aefb39bf99ef3b1d119057b83e21c787b53ad41c
SHA256 4e850ae53a02f6c01ded3ac7b18bc015bfc8942134b1be91ddbe132e5f2dd745
SHA512 9f0925c2fd0ce2be03312a06faaa8b9c03379e7f7c0d98cecb9e0e805ac03f836ab544ef4d4abfb3161a32b0f750b584c4f31cf7b962f56f61b3bb9d7a6e3c95

/data/data/com.ucuadqxoj/cache/oat/payload.jar.cur.prof

MD5 98c3a619c1341b5acade78088130be45
SHA1 a5b3044190dbb491aecd5ce5b8d57e4afceb6075
SHA256 d1b9a9be007fed79f9fb697b7f447dcac5c1e3699b55120903fd266faf07db80
SHA512 45d9ca3721e70f9c99270634618907e2ec620f9a232507b9c231d9adda100c42fbdf2fa60a5ba99065888df870527afdae86f8b747774ff46d233efb83094bdd

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 22:02

Reported

2024-12-21 22:05

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

155s

Command Line

com.ucuadqxoj

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ucuadqxoj/cache/payload.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.ucuadqxoj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
RU 217.8.117.104:80 tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.200.2:443 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp

Files

/data/data/com.ucuadqxoj/cache/payload.jar

MD5 2c71af739b725732bc7409da870f1b01
SHA1 65122134f0af886a0cba79388494fa69fb89015b
SHA256 db9f83468daf09f671b75412b0f380c044000677e1c096ef9514e33e8c1c238d
SHA512 f25cfd7aa47994715d0b6efa23882b4c89c87b5ff4bb2ac566d139b6b6e8ddbbefc57a8a1dbc802061a404d965fd1977f83fbaddd5cc87a5dd811e743c46a3df

/data/user/0/com.ucuadqxoj/cache/payload.jar

MD5 e509eeb11454e83ef776251a753488c4
SHA1 76b5813d03e27a8f8746ee9694774dfd7768aa4e
SHA256 f1e98d8910917f15db1c5780fdd082ce27a7ecce40f363ecd07d0f8091332b77
SHA512 b9e4d4972f717f155e92f1431c61c3d4b627ed996470d158a5ea1b6ebe23f84a3a44da73c53f70ae13f255e1263f1741628976c5e877727f25556d95dc58c7d1

/data/data/com.ucuadqxoj/cache/oat/payload.jar.cur.prof

MD5 1f5c61da46ea55a7054f14e21abe0b86
SHA1 39a18ac102ba391060b81c390d7c50ddaf4cdae0
SHA256 cb45f3df80c4d6f730f4b9d10626c212bc1066a41b2e9b8b51c329282690c6c9
SHA512 51b3fd9afc5b7a0dff04481c905071c904f84afa6942698d73989e7ef1334392a41cf20b7147eb57db0ad9b34a1483a0a96200b85c7167aeabddd09b526aff86

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-21 22:02

Reported

2024-12-21 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

146s

Max time network

156s

Command Line

com.ucuadqxoj

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ucuadqxoj/cache/payload.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.ucuadqxoj

Network

Country Destination Domain Proto
US 216.239.36.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 217.8.117.104:80 tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
RU 217.8.117.104:80 tcp
GB 142.250.187.225:443 tcp
RU 217.8.117.104:80 tcp
GB 142.250.179.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/com.ucuadqxoj/cache/payload.jar

MD5 2c71af739b725732bc7409da870f1b01
SHA1 65122134f0af886a0cba79388494fa69fb89015b
SHA256 db9f83468daf09f671b75412b0f380c044000677e1c096ef9514e33e8c1c238d
SHA512 f25cfd7aa47994715d0b6efa23882b4c89c87b5ff4bb2ac566d139b6b6e8ddbbefc57a8a1dbc802061a404d965fd1977f83fbaddd5cc87a5dd811e743c46a3df

/data/user/0/com.ucuadqxoj/cache/payload.jar

MD5 e509eeb11454e83ef776251a753488c4
SHA1 76b5813d03e27a8f8746ee9694774dfd7768aa4e
SHA256 f1e98d8910917f15db1c5780fdd082ce27a7ecce40f363ecd07d0f8091332b77
SHA512 b9e4d4972f717f155e92f1431c61c3d4b627ed996470d158a5ea1b6ebe23f84a3a44da73c53f70ae13f255e1263f1741628976c5e877727f25556d95dc58c7d1

/data/user/0/com.ucuadqxoj/cache/oat/payload.jar.cur.prof

MD5 6f865753ec7aa0d055e84452f10f674a
SHA1 9b2d585f7dc272a49a2e10460e3effd4dbff0379
SHA256 73140568aa4267d63ea87abacaffc52d4075c9292e94432d9f24c3deefac538c
SHA512 1cb9ddcfa6481cfa9b3e9df81d555809c0128b48cb1ddc6c661ef63b53c864834f9032f8e0a3dd541ece0b821af2a7cea93a9a7076cde6e6d68e9a6bc6f12dd9