edevlet.apk

General
Target

edevlet.apk

Filesize

2MB

Completed

12-12-2020 21:05

Score
10 /10
MD5

9ae42055cbeeea23fe962b2e51660c00

SHA1

bbcf2bdcca0c7d2326b71429c604e7447667f0c0

SHA256

c076650b8c03973f2f9f245a826cf0b7fa0d5add8182f33ec9b372d4b6796a04

Malware Config

Extracted

Family alienbot
C2

http://gunckerolu.xyz

Signatures 7

Filter: none

  • Alienbot

    Description

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Removes its main activity from the application launcher
    exchange.future.mistake

    Reported IOCs

    pidprocess
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
  • Loads dropped Dex/Jar
    exchange.future.mistake

    Description

    Runs executable file dropped to the device during analysis.

    Reported IOCs

    iocpidprocess
    /data/user/0/exchange.future.mistake/app_DynamicOptDex/kEC.json3602exchange.future.mistake
    /data/user/0/exchange.future.mistake/app_DynamicOptDex/kEC.json3602exchange.future.mistake
  • Suspicious use of android.app.ActivityManager.getRunningServices
    exchange.future.mistake

    Reported IOCs

    pidprocess
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
  • Suspicious use of android.os.PowerManager$WakeLock.acquire
    exchange.future.mistake

    Reported IOCs

    pidprocess
    3602exchange.future.mistake
  • Suspicious use of android.telephony.TelephonyManager.getLine1Number
    exchange.future.mistake

    Reported IOCs

    pidprocess
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
    3602exchange.future.mistake
  • Uses reflection
    exchange.future.mistake

    Reported IOCs

    descriptionpidprocess
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method android.content.res.AssetManager.addAssetPath3602exchange.future.mistake
    Invokes method android.app.ContextImpl.getAssets3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method android.content.res.AssetManager.open3602exchange.future.mistake
    Invokes method java.io.FilterInputStream.read3602exchange.future.mistake
    Invokes method java.io.FilterInputStream.read3602exchange.future.mistake
    Invokes method java.io.BufferedInputStream.read3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.io.BufferedInputStream.close3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.lang.String.getBytes3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.io.FileOutputStream.write3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.io.BufferedInputStream.close3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.io.FilterOutputStream.close3602exchange.future.mistake
    Invokes method android.app.ActivityThread.currentActivityThread3602exchange.future.mistake
    Acesses field android.app.ActivityThread.mPackages3602exchange.future.mistake
    Invokes method java.lang.reflect.Field.get3602exchange.future.mistake
    Invokes method java.lang.Object.getClass3602exchange.future.mistake
    Invokes method java.lang.ref.Reference.get3602exchange.future.mistake
    Invokes method java.lang.ref.Reference.get3602exchange.future.mistake
    Acesses field android.app.LoadedApk.mClassLoader3602exchange.future.mistake
    Invokes method java.lang.reflect.Field.get3602exchange.future.mistake
    Acesses field android.app.LoadedApk.mClassLoader3602exchange.future.mistake
    Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE3602exchange.future.mistake
    Acesses field javax.security.auth.x500.X500Principal.thisX500Name3602exchange.future.mistake
    Acesses field javax.security.auth.x500.X500Principal.thisX500Name3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.get3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.open3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.get3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.open3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.get3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.open3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.get3602exchange.future.mistake
    Invokes method dalvik.system.CloseGuard.open3602exchange.future.mistake
Processes 5
  • exchange.future.mistake
    Removes its main activity from the application launcher
    Loads dropped Dex/Jar
    Suspicious use of android.app.ActivityManager.getRunningServices
    Suspicious use of android.os.PowerManager$WakeLock.acquire
    Suspicious use of android.telephony.TelephonyManager.getLine1Number
    Uses reflection
    PID:3602
    • exchange.future.mistake
      PID:3655
    • getprop
      PID:3655
    • exchange.future.mistake
      PID:3739
    • getprop
      PID:3739
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads