Analysis
-
max time kernel
43292s -
max time network
141s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
05-03-2021 13:27
Static task
static1
Behavioral task
behavioral1
Sample
Correos_Seguimiento.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
Correos_Seguimiento.apk
-
Size
2.6MB
-
MD5
b5ed569ccb0dcb73b78bd471cc5c7193
-
SHA1
d3226720af70556411228f967228fa775b60b0e3
-
SHA256
85e2227bac98f2a283470798f9f15d63dc3e8f5d98c71385514603f181aefd83
-
SHA512
9b26696b75ab92429ae3e715cf0d9cdbec775ff15f6d70381a60630010029621b2119f7c080a9c7644beb55a21bcb135630bd2804e1c901673132c490805ac1b
Malware Config
Extracted
Family
alienbot
C2
http://drasdsasa.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
collect.path.onepid process 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
collect.path.oneioc pid process /data/user/0/collect.path.one/app_DynamicOptDex/jq.json 3612 collect.path.one /data/user/0/collect.path.one/app_DynamicOptDex/jq.json 3612 collect.path.one -
Tries to add a device administrator. 1 IoCs
Processes:
collect.path.onedescription ioc process Intent action android.app.action.ADD_DEVICE_ADMIN collect.path.one -
Uses reflection 64 IoCs
Processes:
collect.path.onedescription pid process Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method android.content.res.AssetManager.addAssetPath 3612 collect.path.one Invokes method android.app.ContextImpl.getAssets 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method android.content.res.AssetManager.open 3612 collect.path.one Invokes method java.io.FilterInputStream.read 3612 collect.path.one Invokes method java.io.FilterInputStream.read 3612 collect.path.one Invokes method java.io.BufferedInputStream.read 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method java.io.BufferedInputStream.close 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method java.lang.String.getBytes 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method java.io.FileOutputStream.write 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method java.io.FilterOutputStream.close 3612 collect.path.one Invokes method android.app.ActivityThread.currentActivityThread 3612 collect.path.one Acesses field android.app.ActivityThread.mPackages 3612 collect.path.one Invokes method java.lang.reflect.Field.get 3612 collect.path.one Invokes method java.lang.Object.getClass 3612 collect.path.one Invokes method java.lang.ref.Reference.get 3612 collect.path.one Invokes method java.lang.ref.Reference.get 3612 collect.path.one Acesses field android.app.LoadedApk.mClassLoader 3612 collect.path.one Invokes method java.lang.reflect.Field.get 3612 collect.path.one Acesses field android.app.LoadedApk.mClassLoader 3612 collect.path.one Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3612 collect.path.one Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3612 collect.path.one Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one Invokes method dalvik.system.CloseGuard.get 3612 collect.path.one Invokes method dalvik.system.CloseGuard.open 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.getInstance 3612 collect.path.one Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3612 collect.path.one -
57 IoCs
Processes:
collect.path.onepid process 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one 3612 collect.path.one
Processes
-
collect.path.one1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Uses reflection
-
collect.path.one2⤵
-
getprop2⤵
-
collect.path.one2⤵
-
getprop2⤵
-
collect.path.one2⤵
-
getprop2⤵
-
collect.path.one2⤵
-
getprop2⤵
-
collect.path.one2⤵
-
getprop2⤵
-
collect.path.one2⤵
-
getprop2⤵