Analysis
-
max time kernel
4007875s -
max time network
165s -
platform
android_x86_64 -
resource
android-x86_64_arm64 -
submitted
20-04-2021 10:43
Static task
static1
Behavioral task
behavioral1
Sample
guncelleme.apk
Resource
android-x86_64_arm64
android_x86_64
0 signatures
0 seconds
General
-
Target
guncelleme.apk
-
Size
3.6MB
-
MD5
3f42750d4bc64de237187720733da092
-
SHA1
fa89239568fa00d860b53063cb4d97e3bd78a3dc
-
SHA256
1e3f43966a14d33abc347324c47715518dc31add54e9a3f4e0db66a7e78bc5ca
-
SHA512
71e94f73c813ba888159927465be4a7662d53836bca7be3be78042bd6306327cb630318ce1d1932a2d599450dcdfe020bfa94ad2868fcc545a941ff9f841bedf
Malware Config
Extracted
Family
alienbot
C2
http://kralvevezir21.digital
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
because.junior.craterpid process 4601 because.junior.crater -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
because.junior.craterioc pid process /data/user/0/because.junior.crater/app_DynamicOptDex/KWLong.json 4601 because.junior.crater /data/user/0/because.junior.crater/app_DynamicOptDex/KWLong.json 4601 because.junior.crater -
Uses reflection 32 IoCs
Processes:
because.junior.craterdescription pid process Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method android.content.res.AssetManager.addAssetPath 4601 because.junior.crater Invokes method android.app.ContextImpl.getAssets 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method android.content.res.AssetManager.open 4601 because.junior.crater Invokes method java.io.FilterInputStream.read 4601 because.junior.crater Invokes method java.io.FilterInputStream.read 4601 because.junior.crater Invokes method java.io.BufferedInputStream.read 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.io.BufferedInputStream.close 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.lang.String.getBytes 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.io.FileOutputStream.write 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.io.BufferedInputStream.close 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.io.FilterOutputStream.close 4601 because.junior.crater Invokes method android.app.ActivityThread.currentActivityThread 4601 because.junior.crater Acesses field android.app.ActivityThread.mPackages 4601 because.junior.crater Invokes method java.lang.reflect.Field.get 4601 because.junior.crater Invokes method java.lang.Object.getClass 4601 because.junior.crater Invokes method java.lang.ref.Reference.get 4601 because.junior.crater Invokes method java.lang.ref.Reference.get 4601 because.junior.crater Acesses field android.app.LoadedApk.mClassLoader 4601 because.junior.crater Invokes method java.lang.reflect.Field.get 4601 because.junior.crater Acesses field android.app.LoadedApk.mClassLoader 4601 because.junior.crater Invokes method dalvik.system.CloseGuard.get 4601 because.junior.crater Invokes method dalvik.system.CloseGuard.open 4601 because.junior.crater Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 4601 because.junior.crater Invokes method dalvik.system.CloseGuard.get 4601 because.junior.crater Invokes method dalvik.system.CloseGuard.open 4601 because.junior.crater