Analysis
-
max time kernel
42409s -
max time network
150s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
05-03-2021 13:12
Static task
static1
Behavioral task
behavioral1
Sample
Chrome3.3.39.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
Chrome3.3.39.apk
-
Size
3.2MB
-
MD5
53a43f911ccbb37ee659216a3eb554ba
-
SHA1
10a722a2db60e1ad6dc770405b82e519df85b1e0
-
SHA256
7c0049eaabd4a8a29f89124a6270c065c7ce543ea9123c76b8e4572757ccfb54
-
SHA512
233d4d611f47bc38d0b5e7d1fabc5c1299f36941b4cc2f3d0f8d4182010da508edc40098026c531e44ded5f155bf23c6b898f9ea4b6554df394f8aafb585739e
Malware Config
Extracted
Family
alienbot
C2
http://fiollool.ga
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
shine.furnace.originalpid process 3608 shine.furnace.original 3608 shine.furnace.original -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
shine.furnace.originalioc pid process /data/user/0/shine.furnace.original/app_DynamicOptDex/dtHkhk.json 3608 shine.furnace.original /data/user/0/shine.furnace.original/app_DynamicOptDex/dtHkhk.json 3608 shine.furnace.original -
Uses reflection 61 IoCs
Processes:
shine.furnace.originaldescription pid process Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method android.content.res.AssetManager.addAssetPath 3608 shine.furnace.original Invokes method android.app.ContextImpl.getAssets 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method android.content.res.AssetManager.open 3608 shine.furnace.original Invokes method java.io.FilterInputStream.read 3608 shine.furnace.original Invokes method java.io.FilterInputStream.read 3608 shine.furnace.original Invokes method java.io.BufferedInputStream.read 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.io.BufferedInputStream.close 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.lang.String.getBytes 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.io.FileOutputStream.write 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.io.BufferedInputStream.close 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.io.FilterOutputStream.close 3608 shine.furnace.original Invokes method android.app.ActivityThread.currentActivityThread 3608 shine.furnace.original Acesses field android.app.ActivityThread.mPackages 3608 shine.furnace.original Invokes method java.lang.reflect.Field.get 3608 shine.furnace.original Invokes method java.lang.Object.getClass 3608 shine.furnace.original Invokes method java.lang.ref.Reference.get 3608 shine.furnace.original Invokes method java.lang.ref.Reference.get 3608 shine.furnace.original Acesses field android.app.LoadedApk.mClassLoader 3608 shine.furnace.original Invokes method java.lang.reflect.Field.get 3608 shine.furnace.original Acesses field android.app.LoadedApk.mClassLoader 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.get 3608 shine.furnace.original Invokes method dalvik.system.CloseGuard.open 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 shine.furnace.original Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 shine.furnace.original -
28 IoCs
Processes:
shine.furnace.originalpid process 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original 3608 shine.furnace.original