Analysis
-
max time kernel
3982895s -
max time network
144s -
platform
android_x86 -
resource
android-x86_arm -
submitted
22-11-2020 00:39
Static task
static1
Behavioral task
behavioral1
Sample
AndroidUpdate.apk
Resource
android-x86_arm
android_x86
0 signatures
0 seconds
General
-
Target
AndroidUpdate.apk
-
Size
2.3MB
-
MD5
570d868aca95df74b7e3a2b8005cda2b
-
SHA1
fe3b0d48e0d75e70eeb546448fb25e52e4ab6cff
-
SHA256
b1908d38e44242eece0cc1d11e51cf482400977f110d8210ff9c12d7365af743
-
SHA512
82f2b3f82e440b8b6c7f9335d98a9a4a169ee934233d43d94f28ae2a872d55daf26ff8ada6ea67a3db0ecd8edbd452595a815aca44caf2d1060a1b9e52915b2c
Malware Config
Extracted
Family
alienbot
C2
http://bestof12beach.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
arrest.brush.loungedescription ioc process Framework API call android.app.ApplicationPackageManager.getInstalledApplications arrest.brush.lounge -
Processes:
arrest.brush.loungepid process 4552 arrest.brush.lounge -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
arrest.brush.lounge/system/bin/dex2oatioc pid process /data/user/0/arrest.brush.lounge/app_DynamicOptDex/inHC.json 4552 arrest.brush.lounge /data/user/0/arrest.brush.lounge/app_DynamicOptDex/inHC.json 4682 /system/bin/dex2oat -
Tries to add a device administrator. 1 IoCs
Processes:
arrest.brush.loungedescription ioc process Intent action android.app.action.ADD_DEVICE_ADMIN arrest.brush.lounge -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
Processes:
arrest.brush.loungedescription ioc process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName arrest.brush.lounge -
Suspicious use of android.app.ActivityManager.getRunningServices 38 IoCs
Processes:
arrest.brush.loungepid process 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 8 IoCs
Processes:
arrest.brush.loungepid process 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge 4552 arrest.brush.lounge -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs
Processes:
arrest.brush.loungepid process 4552 arrest.brush.lounge 4552 arrest.brush.lounge -
Uses reflection 87 IoCs
Processes:
arrest.brush.loungedescription pid process Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method android.content.res.AssetManager.addAssetPath 4552 arrest.brush.lounge Invokes method android.app.ContextImpl.getAssets 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method android.content.res.AssetManager.open 4552 arrest.brush.lounge Invokes method java.io.FilterInputStream.read 4552 arrest.brush.lounge Invokes method java.io.FilterInputStream.read 4552 arrest.brush.lounge Invokes method java.io.BufferedInputStream.read 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.io.BufferedInputStream.close 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.lang.String.getBytes 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.io.FileOutputStream.write 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.io.BufferedInputStream.close 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.io.FilterOutputStream.close 4552 arrest.brush.lounge Invokes method android.app.ActivityThread.currentActivityThread 4552 arrest.brush.lounge Acesses field android.app.ActivityThread.mPackages 4552 arrest.brush.lounge Invokes method java.lang.reflect.Field.get 4552 arrest.brush.lounge Invokes method java.lang.Object.getClass 4552 arrest.brush.lounge Invokes method java.lang.ref.Reference.get 4552 arrest.brush.lounge Invokes method java.lang.ref.Reference.get 4552 arrest.brush.lounge Acesses field android.app.LoadedApk.mClassLoader 4552 arrest.brush.lounge Invokes method java.lang.reflect.Field.get 4552 arrest.brush.lounge Acesses field android.app.LoadedApk.mClassLoader 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.open 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.getInstance 4552 arrest.brush.lounge Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4552 arrest.brush.lounge Invokes method dalvik.system.CloseGuard.get 4552 arrest.brush.lounge
Processes
-
arrest.brush.lounge1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
-
arrest.brush.lounge2⤵
-
/system/bin/dex2oat2⤵
- Loads dropped Dex/Jar