Analysis
-
max time kernel
1499762s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64 -
submitted
18-08-2021 13:10
Static task
static1
Behavioral task
behavioral1
Sample
edf3f11dac0a98f3d79cb096edc19cb3ce57a8f315d03718e88c18df8ef5ab7a.apk
Resource
android-x64-arm64
0 signatures
0 seconds
General
-
Target
edf3f11dac0a98f3d79cb096edc19cb3ce57a8f315d03718e88c18df8ef5ab7a.apk
-
Size
4.0MB
-
MD5
db19462e0180969c5b32b7e8df4c1152
-
SHA1
875d927730bfed5fcf148f3636509b8b9d33b8c5
-
SHA256
edf3f11dac0a98f3d79cb096edc19cb3ce57a8f315d03718e88c18df8ef5ab7a
-
SHA512
1a5d4971d607dc491bd235646fb2e21496c18235577222da96f13fc248de762283d79099316651616ed4d94ddf863f9da68286513f146ea69abd71772edbe931
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://kokosrumianzua.ml
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Checks Android system properties for emulator presence. 1 IoCs
description ioc Process Accessed system property key: ro.product.model torch.once.all -
Loads dropped Dex/Jar 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/torch.once.all/app_DynamicOptDex/UIdJ.json 4093 torch.once.all /data/user/0/torch.once.all/app_DynamicOptDex/UIdJ.json 4093 torch.once.all /product/app/TrichromeLibrary/TrichromeLibrary.apk 4093 torch.once.all /product/app/TrichromeLibrary/TrichromeLibrary.apk 4093 torch.once.all -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS torch.once.all -
Uses reflection 27 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Invokes method dalvik.system.CloseGuard.get 4093 torch.once.all Invokes method dalvik.system.CloseGuard.open 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.getInstance 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Acesses field javax.security.auth.x500.X500Principal.thisX500Name 4093 torch.once.all Invokes method dalvik.system.CloseGuard.get 4093 torch.once.all Invokes method dalvik.system.CloseGuard.open 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.getInstance 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4093 torch.once.all Invokes method dalvik.system.CloseGuard.get 4093 torch.once.all Invokes method dalvik.system.CloseGuard.open 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.getInstance 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4093 torch.once.all Invokes method dalvik.system.CloseGuard.get 4093 torch.once.all Invokes method dalvik.system.CloseGuard.open 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.getInstance 4093 torch.once.all Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 4093 torch.once.all
Processes
-
torch.once.all1⤵
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4093 -
torch.once.all2⤵PID:6781
-
-
torch.once.all2⤵PID:6810
-
-
torch.once.all2⤵PID:6937
-
-
torch.once.all2⤵PID:6967
-