Analysis
-
max time kernel
3881554s -
max time network
155s -
platform
android_x86_64 -
resource
android-x86_64_arm64 -
submitted
20-11-2020 20:30
Static task
static1
Behavioral task
behavioral1
Sample
pandemdest.apk
Resource
android-x86_64_arm64
android_x86_64
0 signatures
0 seconds
General
-
Target
pandemdest.apk
-
Size
1.9MB
-
MD5
8b219d57fafcdb3b2e0d053d344c98c8
-
SHA1
566bdae1390d8e9c910064c9f4a3812f3abc9a67
-
SHA256
87cff4f61b32306eaec1f50af02d0521937aadd6f1c1a3b3d5ea177ebe690f47
-
SHA512
53d4fb2e8b2e2269968e93cf3d5d18e3a8d3ce82f44a9f9324ad84c7103e36746099a2ca7f6d656d11e75e9253cd9fb37053afcea6c144d727353a0da208f690
Malware Config
Extracted
Family
alienbot
C2
http://ricktreemonkey54st.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
valve.general.hourpid process 4169 valve.general.hour -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
valve.general.hourioc pid process /data/user/0/valve.general.hour/app_DynamicOptDex/cTicF.json 4169 valve.general.hour /data/user/0/valve.general.hour/app_DynamicOptDex/cTicF.json 4169 valve.general.hour -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
valve.general.hourdescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName valve.general.hour -
Suspicious use of android.app.ActivityManager.getRunningServices 193 IoCs
Processes:
valve.general.hourpid process 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour 4169 valve.general.hour -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 2 IoCs
Processes:
valve.general.hourpid process 4169 valve.general.hour 4169 valve.general.hour -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs
Processes:
valve.general.hourpid process 4169 valve.general.hour 4169 valve.general.hour -
Uses reflection 43 IoCs
Processes:
valve.general.hourdescription pid process Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method android.content.res.AssetManager.addAssetPath 4169 valve.general.hour Invokes method android.app.ContextImpl.getAssets 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method android.content.res.AssetManager.open 4169 valve.general.hour Invokes method java.io.FilterInputStream.read 4169 valve.general.hour Invokes method java.io.FilterInputStream.read 4169 valve.general.hour Invokes method java.io.BufferedInputStream.read 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.io.BufferedInputStream.close 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.lang.String.getBytes 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.io.FileOutputStream.write 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.io.BufferedInputStream.close 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.io.FilterOutputStream.close 4169 valve.general.hour Invokes method android.app.ActivityThread.currentActivityThread 4169 valve.general.hour Acesses field android.app.ActivityThread.mPackages 4169 valve.general.hour Invokes method java.lang.reflect.Field.get 4169 valve.general.hour Invokes method java.lang.Object.getClass 4169 valve.general.hour Invokes method java.lang.ref.Reference.get 4169 valve.general.hour Invokes method java.lang.ref.Reference.get 4169 valve.general.hour Acesses field android.app.LoadedApk.mClassLoader 4169 valve.general.hour Invokes method java.lang.reflect.Field.get 4169 valve.general.hour Acesses field android.app.LoadedApk.mClassLoader 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.get 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.open 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.getInstance 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.get 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.open 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.getInstance 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.get 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.open 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.getInstance 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.get 4169 valve.general.hour Invokes method dalvik.system.CloseGuard.open 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.getInstance 4169 valve.general.hour Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4169 valve.general.hour
Processes
-
valve.general.hour1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection