Analysis
-
max time kernel
1451728s -
max time network
134s -
platform
android_x86_64 -
resource
android-x86_64 -
submitted
10-05-2021 13:44
Static task
static1
Behavioral task
behavioral1
Sample
multi.apk
Resource
android-x86_64
android_x86_64
0 signatures
0 seconds
General
-
Target
multi.apk
-
Size
2.4MB
-
MD5
25dbb2e7c15f00d01a222c78cc96cb6d
-
SHA1
579f99a4c4bb7b5d3b4d5dde87400424a7004d44
-
SHA256
34a019fa671da69f8a53c116110bee127a39cc517e71b9f2bf819d23a09e976c
-
SHA512
d10c3ae03f1936287c17c28bfa2f2d90f7e078dcaf55c26500355a81a3dbd2834aa621ffbf70ab255d4da82df94b1af752d382eb67190d57c09b3ce2a1e8706a
Malware Config
Extracted
Family
alienbot
C2
http://akpli.club
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Processes:
burst.save.avoidpid process 3611 burst.save.avoid 3611 burst.save.avoid 3611 burst.save.avoid -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
burst.save.avoidioc pid process /data/user/0/burst.save.avoid/app_DynamicOptDex/qhRl.json 3611 burst.save.avoid /data/user/0/burst.save.avoid/app_DynamicOptDex/qhRl.json 3611 burst.save.avoid -
Uses reflection 42 IoCs
Processes:
burst.save.avoiddescription pid process Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method android.content.res.AssetManager.addAssetPath 3611 burst.save.avoid Invokes method android.app.ContextImpl.getAssets 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method android.content.res.AssetManager.open 3611 burst.save.avoid Invokes method java.io.FilterInputStream.read 3611 burst.save.avoid Invokes method java.io.FilterInputStream.read 3611 burst.save.avoid Invokes method java.io.BufferedInputStream.read 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.io.BufferedInputStream.close 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.lang.String.getBytes 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.io.FileOutputStream.write 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.io.BufferedInputStream.close 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.io.FilterOutputStream.close 3611 burst.save.avoid Invokes method android.app.ActivityThread.currentActivityThread 3611 burst.save.avoid Acesses field android.app.ActivityThread.mPackages 3611 burst.save.avoid Invokes method java.lang.reflect.Field.get 3611 burst.save.avoid Invokes method java.lang.Object.getClass 3611 burst.save.avoid Invokes method java.lang.ref.Reference.get 3611 burst.save.avoid Invokes method java.lang.ref.Reference.get 3611 burst.save.avoid Acesses field android.app.LoadedApk.mClassLoader 3611 burst.save.avoid Invokes method java.lang.reflect.Field.get 3611 burst.save.avoid Acesses field android.app.LoadedApk.mClassLoader 3611 burst.save.avoid Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3611 burst.save.avoid Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3611 burst.save.avoid Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.get 3611 burst.save.avoid Invokes method dalvik.system.CloseGuard.open 3611 burst.save.avoid