Analysis
-
max time kernel
2377643s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20220310-en -
submitted
15-03-2022 13:11
General
-
Target
dcb88fb46c8d030c6f92dff0cd5e4c2f5bdf223070f2596c86a454f1adf00729.apk
-
Size
2.0MB
-
MD5
4043d73d75d220738d77843ff9be0247
-
SHA1
4dcad01a821c3fd994b4b968b9a67c6f75181fcc
-
SHA256
dcb88fb46c8d030c6f92dff0cd5e4c2f5bdf223070f2596c86a454f1adf00729
-
SHA512
d8ed2f6ff17ef048bfb78ce2c9a465a29dcd3f9f4b3e88e36c1c5cb31c588ce08fc27306002b0f5a785d15d486e5838823e8d7a0b3d2f9ad97b6f1f2a485234d
Score
10/10
Malware Config
Extracted
Family
xenomorph
C2
simpleyo5.tk
simpleyo5.cf
kart12sec.ga
kart12sec.gq
Extracted
Family
xenomorph
AES_key
AES_key
Signatures
-
Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
-
Makes use of the framework's Accessibility service. 2 IoCs
-
Acquires the wake lock. 1 IoCs
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
-
Removes a system notification. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes
-
com.token.jewel1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.token.jewel/app_DynamicOptDex/LmGiYP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.token.jewel/app_DynamicOptDex/oat/x86/LmGiYP.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-