Analysis
-
max time kernel
1203455s -
max time network
152s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
07-05-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
DestekBasvuruFormu.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
DestekBasvuruFormu.apk
-
Size
2.8MB
-
MD5
e763207653ee9506e09c10ef43090faa
-
SHA1
1856ebdd170ca8abc15cc38dc065190997f141eb
-
SHA256
96ab53899db38080f89781aa6e0b3826fbdc4d650e781a4faba9b49a1f96b560
-
SHA512
6b29b7cb99ce686606172586a1af94c4c9a1bac3e7c5c7b8b98f6f8c47f6bd8a5f8ce9ec9a113dffc2d08454bb9bac1a107859d1d54e307b0638a96f259f318a
Malware Config
Extracted
Family
alienbot
C2
http://seymidostm0214.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
time.rhythm.rentpid process 3615 time.rhythm.rent 3615 time.rhythm.rent 3615 time.rhythm.rent 3615 time.rhythm.rent 3615 time.rhythm.rent 3615 time.rhythm.rent 3615 time.rhythm.rent -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
time.rhythm.rentioc pid process /data/user/0/time.rhythm.rent/app_DynamicOptDex/BXkEYB.json 3615 time.rhythm.rent /data/user/0/time.rhythm.rent/app_DynamicOptDex/BXkEYB.json 3615 time.rhythm.rent /data/data/time.rhythm.rent/app_apk/ring0.apk 3615 time.rhythm.rent -
Uses reflection 55 IoCs
Processes:
time.rhythm.rentdescription pid process Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method android.content.res.AssetManager.addAssetPath 3615 time.rhythm.rent Invokes method android.app.ContextImpl.getAssets 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method android.content.res.AssetManager.open 3615 time.rhythm.rent Invokes method java.io.FilterInputStream.read 3615 time.rhythm.rent Invokes method java.io.FilterInputStream.read 3615 time.rhythm.rent Invokes method java.io.BufferedInputStream.read 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.io.BufferedInputStream.close 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.lang.String.getBytes 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.io.FileOutputStream.write 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.io.BufferedInputStream.close 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.io.FilterOutputStream.close 3615 time.rhythm.rent Invokes method android.app.ActivityThread.currentActivityThread 3615 time.rhythm.rent Acesses field android.app.ActivityThread.mPackages 3615 time.rhythm.rent Invokes method java.lang.reflect.Field.get 3615 time.rhythm.rent Invokes method java.lang.Object.getClass 3615 time.rhythm.rent Invokes method java.lang.ref.Reference.get 3615 time.rhythm.rent Invokes method java.lang.ref.Reference.get 3615 time.rhythm.rent Acesses field android.app.LoadedApk.mClassLoader 3615 time.rhythm.rent Invokes method java.lang.reflect.Field.get 3615 time.rhythm.rent Acesses field android.app.LoadedApk.mClassLoader 3615 time.rhythm.rent Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3615 time.rhythm.rent Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent Invokes method patch.ring0.run.main 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.get 3615 time.rhythm.rent Invokes method dalvik.system.CloseGuard.open 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.getInstance 3615 time.rhythm.rent Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3615 time.rhythm.rent
Processes
-
time.rhythm.rent1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
-
time.rhythm.rent2⤵
-
getprop2⤵
-
time.rhythm.rent2⤵
-
getprop2⤵
-
time.rhythm.rent2⤵
-
getprop2⤵
-
time.rhythm.rent2⤵
-
getprop2⤵
-
time.rhythm.rent2⤵
-
getprop2⤵
-
time.rhythm.rent2⤵
-
getprop2⤵