Analysis
-
max time kernel
1407631s -
max time network
186s -
platform
android_x64 -
resource
android-x64 -
submitted
17-08-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
9097f2c241be72a64a0ceab6e4de074d0314cf7661ec04ef3dcaa7b99407aa0a.apk
Resource
android-x64
0 signatures
0 seconds
General
-
Target
9097f2c241be72a64a0ceab6e4de074d0314cf7661ec04ef3dcaa7b99407aa0a.apk
-
Size
3.1MB
-
MD5
f63eb8e447e0fec2b226d7c0e04b8052
-
SHA1
545d06d33fb5be58e2e74a28794d3a5251244162
-
SHA256
9097f2c241be72a64a0ceab6e4de074d0314cf7661ec04ef3dcaa7b99407aa0a
-
SHA512
064d56ef45a8e6ed0635d2826b8510b268dcd67c0a97d5f5bb09bd8bfbd6189b750201112ab30f95537adb0e1b17f78dcb82bda14eba18f7ff0f39ebc497faa4
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://sillldkisteaqq.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/pulse.puzzle.victory/app_DynamicOptDex/LEcL.json 3605 pulse.puzzle.victory /data/user/0/pulse.puzzle.victory/app_DynamicOptDex/LEcL.json 3605 pulse.puzzle.victory /data/data/pulse.puzzle.victory/app_apk/ring0.apk 3605 pulse.puzzle.victory -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName pulse.puzzle.victory -
Uses reflection 20 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3605 pulse.puzzle.victory Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3605 pulse.puzzle.victory Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.get 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.open 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.getInstance 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.get 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.open 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.getInstance 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.get 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.open 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.getInstance 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.get 3605 pulse.puzzle.victory Invokes method dalvik.system.CloseGuard.open 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.getInstance 3605 pulse.puzzle.victory Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3605 pulse.puzzle.victory Invokes method patch.ring0.run.main 3605 pulse.puzzle.victory