Analysis
-
max time kernel
1318096s -
max time network
185s -
platform
android_x64 -
resource
android-x64 -
submitted
16-08-2021 10:44
Static task
static1
Behavioral task
behavioral1
Sample
Android_Guncelleme.apk
Resource
android-x64
0 signatures
0 seconds
General
-
Target
Android_Guncelleme.apk
-
Size
3.4MB
-
MD5
ea32dfb83dff2f55084a22624077dd6e
-
SHA1
0b994725abc116f194007865b898e981f0b41e4d
-
SHA256
9b288f10d587a1390b422e385e7813b24f51b34304ac0585242b865a7a1b9be6
-
SHA512
4491c85229d063c6c63d2ccacb08505650030767237692ad06f3fc3a527296e06d8aed09c56088f38463b3ceb31d1cedb1f06eb5a823d194f2ffe16b16d1a779
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://34.89.218.199
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/pole.crumble.burden/app_DynamicOptDex/YcB.json 3619 pole.crumble.burden /data/user/0/pole.crumble.burden/app_DynamicOptDex/YcB.json 3619 pole.crumble.burden -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName pole.crumble.burden -
Uses reflection 19 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3619 pole.crumble.burden Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3619 pole.crumble.burden Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.get 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.open 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.getInstance 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.get 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.open 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.getInstance 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.get 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.open 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.getInstance 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.get 3619 pole.crumble.burden Invokes method dalvik.system.CloseGuard.open 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.getInstance 3619 pole.crumble.burden Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3619 pole.crumble.burden