Resubmissions
20-08-2021 20:23
210820-6fb97sdp2j 10Analysis
-
max time kernel
1698487s -
max time network
176s -
platform
android_x64 -
resource
android-x64 -
submitted
20-08-2021 20:23
Static task
static1
Behavioral task
behavioral1
Sample
Ifsa_Videosu.apk
Resource
android-x64
0 signatures
0 seconds
General
-
Target
Ifsa_Videosu.apk
-
Size
3.3MB
-
MD5
8d244ac025fb51c1348003dc9c3c3ea2
-
SHA1
fab5bd3e1504011efe253dfc344852f6b5c644a1
-
SHA256
ee5632e3c0717693c9ab993c2b0c5b6edb503383215895f99800d915d92d1b8e
-
SHA512
83b782add0d8aeb33e18e29749c30665fe9139a8926e8c01c143f1299671633525c25a9c727b9e2f542b3763c031f7116669a5d937c60c40117a6309b0881caa
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
https://instagrambuyukprofil.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json 3608 umbrella.thought.elevator /data/user/0/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator /data/data/umbrella.thought.elevator/app_apk/ring0.apk 3608 umbrella.thought.elevator -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName umbrella.thought.elevator -
Uses reflection 49 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.get 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.open 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.get 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.open 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.get 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.open 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.get 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.open 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.get 3608 umbrella.thought.elevator Invokes method dalvik.system.CloseGuard.open 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setUseSessionTickets 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.ConscryptFileDescriptorSocket.setHostname 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3608 umbrella.thought.elevator Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol 3608 umbrella.thought.elevator Invokes method patch.ring0.run.main 3608 umbrella.thought.elevator