Analysis
-
max time kernel
1267286s -
max time network
187s -
platform
android_x64 -
resource
android-x64-arm64 -
submitted
15-08-2021 20:37
Static task
static1
Behavioral task
behavioral1
Sample
AndroidGuncelleme.apk
Resource
android-x64-arm64
0 signatures
0 seconds
General
-
Target
AndroidGuncelleme.apk
-
Size
3.4MB
-
MD5
c58cb2d542178830e7d1a52227116256
-
SHA1
741f00d6ea8150d2baa39f27ca74c867284f993b
-
SHA256
59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85
-
SHA512
36461b81c8dbb3fd5e3ded0d948a58b0f61e96753d4525fa0ce7671bef62078aeb69a292ccbf65071394d7bbec3277a3cec257a892f253cc86558bcb1c6d5657
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://34.141.27.218
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json 4654 glove.resist.bring /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json 4654 glove.resist.bring -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName glove.resist.bring -
Uses reflection 8 IoCs
description pid Process Invokes method dalvik.system.CloseGuard.get 4654 glove.resist.bring Invokes method dalvik.system.CloseGuard.open 4654 glove.resist.bring Invokes method android.security.NetworkSecurityPolicy.getInstance 4654 glove.resist.bring Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4654 glove.resist.bring Invokes method dalvik.system.CloseGuard.get 4654 glove.resist.bring Invokes method dalvik.system.CloseGuard.open 4654 glove.resist.bring Invokes method android.security.NetworkSecurityPolicy.getInstance 4654 glove.resist.bring Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4654 glove.resist.bring