Analysis
-
max time kernel
1193003s -
max time network
150s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
18-03-2021 20:49
Static task
static1
Behavioral task
behavioral1
Sample
Chrome3.18.15.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
Chrome3.18.15.apk
-
Size
3.1MB
-
MD5
35d21e2a819590c81c592ed2ce48dd8d
-
SHA1
1cf964734b18517a218c85b086b383b2a710abed
-
SHA256
688f0c5efa0f93dbcc7600aa03fffa65f1ba4038931a67332b5255162585ef56
-
SHA512
e2119e068254a597cfeae6eb6f46e2568367b9e806c2f46baa2d93120d32ef89c27e051a5ab790e539ad90059251bbae0524e3423c1ccff572adc7b454e145d7
Malware Config
Extracted
Family
alienbot
C2
http://fiollool.ga
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
sleep.accuse.blamepid process 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
sleep.accuse.blameioc pid process /data/user/0/sleep.accuse.blame/app_DynamicOptDex/WmDHcs.json 3608 sleep.accuse.blame /data/user/0/sleep.accuse.blame/app_DynamicOptDex/WmDHcs.json 3608 sleep.accuse.blame -
Uses reflection 64 IoCs
Processes:
sleep.accuse.blamedescription pid process Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method android.content.res.AssetManager.addAssetPath 3608 sleep.accuse.blame Invokes method android.app.ContextImpl.getAssets 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method android.content.res.AssetManager.open 3608 sleep.accuse.blame Invokes method java.io.FilterInputStream.read 3608 sleep.accuse.blame Invokes method java.io.FilterInputStream.read 3608 sleep.accuse.blame Invokes method java.io.BufferedInputStream.read 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.io.BufferedInputStream.close 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.lang.String.getBytes 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.io.FileOutputStream.write 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.io.BufferedInputStream.close 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.io.FilterOutputStream.close 3608 sleep.accuse.blame Invokes method android.app.ActivityThread.currentActivityThread 3608 sleep.accuse.blame Acesses field android.app.ActivityThread.mPackages 3608 sleep.accuse.blame Invokes method java.lang.reflect.Field.get 3608 sleep.accuse.blame Invokes method java.lang.Object.getClass 3608 sleep.accuse.blame Invokes method java.lang.ref.Reference.get 3608 sleep.accuse.blame Invokes method java.lang.ref.Reference.get 3608 sleep.accuse.blame Acesses field android.app.LoadedApk.mClassLoader 3608 sleep.accuse.blame Invokes method java.lang.reflect.Field.get 3608 sleep.accuse.blame Acesses field android.app.LoadedApk.mClassLoader 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.open 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.getInstance 3608 sleep.accuse.blame Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3608 sleep.accuse.blame Invokes method dalvik.system.CloseGuard.get 3608 sleep.accuse.blame -
40 IoCs
Processes:
sleep.accuse.blamepid process 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame 3608 sleep.accuse.blame
Processes
-
sleep.accuse.blame1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
-
sleep.accuse.blame2⤵
-
getprop2⤵
-
sleep.accuse.blame2⤵
-
getprop2⤵
-
sleep.accuse.blame2⤵
-
getprop2⤵
-
sleep.accuse.blame2⤵
-
getprop2⤵
-
sleep.accuse.blame2⤵
-
getprop2⤵