Malware Analysis Report

2025-01-19 05:13

Sample ID 241225-m7d1ysslds
Target Chrome.apk
SHA256 454ffcf9ef438d5d3eee894d0b2f21326935857da76d5720a8dc0eeda8280f59
Tags
alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

454ffcf9ef438d5d3eee894d0b2f21326935857da76d5720a8dc0eeda8280f59

Threat Level: Known bad

The file Chrome.apk was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Alienbot

Cerberus family

Cerberus payload

Cerberus

Alienbot family

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-25 11:06

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-25 11:06

Reported

2024-12-25 11:08

Platform

android-x86-arm-20240910-en

Max time kernel

140s

Max time network

151s

Command Line

crack.base.hawk

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

crack.base.hawk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 vedahasereye.net udp
GB 142.250.200.2:443 tcp

Files

/data/data/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 12422455f3ee6238e7576a3f0e079c45
SHA1 e11fe3964c8be9d63585aff1f6b6e88478f17a92
SHA256 bcb307abd3d2915234d5f6acfbe8ce79cf21298c41b76841b52210add0aa1e8c
SHA512 1f2252d19f3f03b345596964a073d82018656cad18bde1c447d3205b7a6072f3b4ded97dc539ab1c36f9f4aa063ce7cb1c2cc59c5bec20045b93e08326a87232

/data/data/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 de7d51a00e215106a8e0103a73fff976
SHA1 1ff66d04c76363eaadc0b487a7f246c1309c0e88
SHA256 7fc0e2b52f2faaf5360715c25073d0a0626359b3ed049ae9673319a55b2a24f5
SHA512 2113b9d11228eb2a05c248ab4bff0486f6c4a86f5ba5fa65ec402b759955dfa64f1bfca887e8f4f45b3807944f53d754a7d7ee8e2b867731d20c1324fff64a36

/data/data/crack.base.hawk/app_DynamicOptDex/oat/qAERL.json.cur.prof

MD5 d322a99a0069e4cf28529cdc82614a4b
SHA1 6c88f367d681ff068e42f45d7b7dc587a653a1d4
SHA256 9e886f7ef971dda04108a062708357a4cb30c1de4638a9f5ae373119832a76dc
SHA512 51b21c2c99f86d0d4ea5cceb963a1809c0de7c11c410a1039ba38aa5f512058a2ac642ee564cbb286668662204dcf290240f9c9ffc8b5a40d65e14a150293cf5

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-25 11:06

Reported

2024-12-25 11:08

Platform

android-x64-20240910-en

Max time kernel

132s

Max time network

152s

Command Line

crack.base.hawk

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

crack.base.hawk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 vedahasereye.net udp
GB 216.58.204.66:443 tcp

Files

/data/data/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 12422455f3ee6238e7576a3f0e079c45
SHA1 e11fe3964c8be9d63585aff1f6b6e88478f17a92
SHA256 bcb307abd3d2915234d5f6acfbe8ce79cf21298c41b76841b52210add0aa1e8c
SHA512 1f2252d19f3f03b345596964a073d82018656cad18bde1c447d3205b7a6072f3b4ded97dc539ab1c36f9f4aa063ce7cb1c2cc59c5bec20045b93e08326a87232

/data/data/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 de7d51a00e215106a8e0103a73fff976
SHA1 1ff66d04c76363eaadc0b487a7f246c1309c0e88
SHA256 7fc0e2b52f2faaf5360715c25073d0a0626359b3ed049ae9673319a55b2a24f5
SHA512 2113b9d11228eb2a05c248ab4bff0486f6c4a86f5ba5fa65ec402b759955dfa64f1bfca887e8f4f45b3807944f53d754a7d7ee8e2b867731d20c1324fff64a36

/data/data/crack.base.hawk/app_DynamicOptDex/oat/qAERL.json.cur.prof

MD5 e1be64a24c0e4fa6a1bf9714b03ef817
SHA1 ee4510faa48273e719e022aa30befcaf2c9465b7
SHA256 cd614689a7327470b1a0a98c4cdaf7f36230a6f94188040445bc8b91ac41d992
SHA512 d4952fe97cea44c8bc86c0596ce4f2de095db7221efd28f578580cd8e63ba2c9b7e576299376376729ae65802ef7057dd8e59f93941ab7e33c190d61be111f5f

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-25 11:06

Reported

2024-12-25 11:08

Platform

android-x64-arm64-20240910-en

Max time kernel

146s

Max time network

150s

Command Line

crack.base.hawk

Signatures

Alienbot

banker trojan infostealer alienbot

Alienbot family

alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus family

cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A
N/A /data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

crack.base.hawk

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 vedahasereye.net udp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 12422455f3ee6238e7576a3f0e079c45
SHA1 e11fe3964c8be9d63585aff1f6b6e88478f17a92
SHA256 bcb307abd3d2915234d5f6acfbe8ce79cf21298c41b76841b52210add0aa1e8c
SHA512 1f2252d19f3f03b345596964a073d82018656cad18bde1c447d3205b7a6072f3b4ded97dc539ab1c36f9f4aa063ce7cb1c2cc59c5bec20045b93e08326a87232

/data/user/0/crack.base.hawk/app_DynamicOptDex/qAERL.json

MD5 de7d51a00e215106a8e0103a73fff976
SHA1 1ff66d04c76363eaadc0b487a7f246c1309c0e88
SHA256 7fc0e2b52f2faaf5360715c25073d0a0626359b3ed049ae9673319a55b2a24f5
SHA512 2113b9d11228eb2a05c248ab4bff0486f6c4a86f5ba5fa65ec402b759955dfa64f1bfca887e8f4f45b3807944f53d754a7d7ee8e2b867731d20c1324fff64a36