Analysis
-
max time kernel
1499937s -
max time network
171s -
platform
android_x64 -
resource
android-x64 -
submitted
18-08-2021 13:13
Static task
static1
Behavioral task
behavioral1
Sample
3695125b6ddd8cf5d4fb024a7d247ebcc9d1f56f436fb2fe5f12573fe408e690.apk
Resource
android-x64
0 signatures
0 seconds
General
-
Target
3695125b6ddd8cf5d4fb024a7d247ebcc9d1f56f436fb2fe5f12573fe408e690.apk
-
Size
3.1MB
-
MD5
5daf5bc5852694acbfef4db66ac4fb02
-
SHA1
1bf810e618f5ea814e662ae256d5bde7bd164164
-
SHA256
3695125b6ddd8cf5d4fb024a7d247ebcc9d1f56f436fb2fe5f12573fe408e690
-
SHA512
6fd2ea3540227dc26b26e46cae376616ce6676c93f0c062bef4a5f62adcbbb79c1d21f5c7ef17ac57dcb186cccc790401e9a787b2e1b529b53212e434659fc02
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://sillldkisteaqq.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 11 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/buddy.satisfy.another/app_DynamicOptDex/jTLjbH.json 3674 buddy.satisfy.another /data/user/0/buddy.satisfy.another/app_DynamicOptDex/jTLjbH.json 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /product/app/webview/webview.apk 3674 buddy.satisfy.another /product/app/webview/webview.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another /data/data/buddy.satisfy.another/app_apk/ring0.apk 3674 buddy.satisfy.another -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName buddy.satisfy.another -
Uses reflection 33 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3674 buddy.satisfy.another Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3674 buddy.satisfy.another Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.get 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.open 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.getInstance 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.get 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.open 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.getInstance 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.get 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.open 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.getInstance 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.get 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.open 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.getInstance 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.get 3674 buddy.satisfy.another Invokes method dalvik.system.CloseGuard.open 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.getInstance 3674 buddy.satisfy.another Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3674 buddy.satisfy.another Invokes method android.content.Context.bindServiceAsUser 3674 buddy.satisfy.another Invokes method android.content.Context.bindServiceAsUser 3674 buddy.satisfy.another Invokes method android.content.Context.bindServiceAsUser 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another Invokes method patch.ring0.run.main 3674 buddy.satisfy.another