Analysis
-
max time kernel
1068934s -
max time network
140s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
08-12-2020 00:16
Static task
static1
Behavioral task
behavioral1
Sample
UpdateApps_obf.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
UpdateApps_obf.apk
-
Size
2.7MB
-
MD5
3d17727e871c75397625b9c235e24c35
-
SHA1
e8d5218a592a25318ab42ad58c68a6683a1a5bc3
-
SHA256
ef4e055b09926d762ce6beae47df5170980213d8e69d6c6a7952f0b24748814f
-
SHA512
4528c17a9c145d4820081fae2c02f0138bdbb0b98ace08aeb4737f87ac56250a1a559a56d3f72c63e89420290abdc615d8af43028623ba346f165b1802bdc582
Malware Config
Extracted
Family
alienbot
C2
http://yataarfsns.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
description ioc Process Framework API call android.app.ApplicationPackageManager.getInstalledApplications sun.excuse.image -
pid Process 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/sun.excuse.image/app_DynamicOptDex/aHnh.json 3597 sun.excuse.image /data/user/0/sun.excuse.image/app_DynamicOptDex/aHnh.json 3597 sun.excuse.image -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName sun.excuse.image -
Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs
pid Process 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image -
Suspicious use of android.telephony.TelephonyManager.getLine1Number 6 IoCs
pid Process 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image 3597 sun.excuse.image -
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs
pid Process 3597 sun.excuse.image 3597 sun.excuse.image -
Uses reflection 71 IoCs
description pid Process Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method android.content.res.AssetManager.addAssetPath 3597 sun.excuse.image Invokes method android.app.ContextImpl.getAssets 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method android.content.res.AssetManager.open 3597 sun.excuse.image Invokes method java.io.FilterInputStream.read 3597 sun.excuse.image Invokes method java.io.FilterInputStream.read 3597 sun.excuse.image Invokes method java.io.BufferedInputStream.read 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.io.BufferedInputStream.close 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.lang.String.getBytes 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.io.FileOutputStream.write 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.io.BufferedInputStream.close 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.io.FilterOutputStream.close 3597 sun.excuse.image Invokes method android.app.ActivityThread.currentActivityThread 3597 sun.excuse.image Acesses field android.app.ActivityThread.mPackages 3597 sun.excuse.image Invokes method java.lang.reflect.Field.get 3597 sun.excuse.image Invokes method java.lang.Object.getClass 3597 sun.excuse.image Invokes method java.lang.ref.Reference.get 3597 sun.excuse.image Invokes method java.lang.ref.Reference.get 3597 sun.excuse.image Acesses field android.app.LoadedApk.mClassLoader 3597 sun.excuse.image Invokes method java.lang.reflect.Field.get 3597 sun.excuse.image Acesses field android.app.LoadedApk.mClassLoader 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.get 3597 sun.excuse.image Invokes method dalvik.system.CloseGuard.open 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.getInstance 3597 sun.excuse.image Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3597 sun.excuse.image
Processes
-
sun.excuse.image1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:3597 -
sun.excuse.image2⤵PID:3643
-
-
getprop2⤵PID:3643
-
-
sun.excuse.image2⤵PID:3730
-
-
getprop2⤵PID:3730
-