Resubmissions

20-03-2022 22:30

220320-2e69csgffl 10

10-03-2022 18:07

220310-wqcw1achbm 10

10-03-2022 17:34

220310-v5qkzahdf7 7

10-03-2022 17:12

220310-vq77gahca6 7

10-03-2022 16:14

220310-tp5jhsbham 7

10-03-2022 16:02

220310-tgwawabggk 10

General

  • Target

    2877b27f1b6c7db466351618dda4f05d6a15e9a26028f3fc064fa144ec3a1850

  • Size

    2.4MB

  • Sample

    220320-2e69csgffl

  • MD5

    e39505e65aec6835f680c902e1c8f7d8

  • SHA1

    8b2984b8838067903ee3ff95d8a6823106216296

  • SHA256

    2877b27f1b6c7db466351618dda4f05d6a15e9a26028f3fc064fa144ec3a1850

  • SHA512

    19911ed73419450a03ad541f7164a5db05a93e2c63d894ab79fdc50409d77696bdc203155640361d5f12de1929f234d5b2da84ebf4c59306876d725221310887

Malware Config

Extracted

Family

xenomorph

C2

simpleyo5.tk

simpleyo5.cf

kart12sec.ga

kart12sec.gq

Extracted

Family

xenomorph

Attributes
  • PackageNames

    com.android.vending

    com.google.android.gm

  • URLs

    https://homeandofficedeal.com/local/multi/com.android.vending.html

    https://homeandofficedeal.com/local/multi/com.google.android.gm.html

AES_key
AES_key
AES_key

Targets

    • Target

      2877b27f1b6c7db466351618dda4f05d6a15e9a26028f3fc064fa144ec3a1850

    • Size

      2.4MB

    • MD5

      e39505e65aec6835f680c902e1c8f7d8

    • SHA1

      8b2984b8838067903ee3ff95d8a6823106216296

    • SHA256

      2877b27f1b6c7db466351618dda4f05d6a15e9a26028f3fc064fa144ec3a1850

    • SHA512

      19911ed73419450a03ad541f7164a5db05a93e2c63d894ab79fdc50409d77696bdc203155640361d5f12de1929f234d5b2da84ebf4c59306876d725221310887

    • Xenomorph

      Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.

    • Makes use of the framework's Accessibility service.

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks