Analysis

  • max time kernel
    613572s
  • max time network
    142s
  • platform
    android_x86
  • resource
    android-x86-arm-20220310-en
  • submitted
    02-06-2022 11:15

General

  • Target

    97C3CC1C42FB7427256C5D7938D3E8F21FD98CCE8D327ADF10244291D3C68EE9.apk

  • Size

    1.8MB

  • MD5

    c35aeeab03a3002deb83aa86ec863622

  • SHA1

    29ab2b28845cb48c55ecaeefcbdd42c1a0878e79

  • SHA256

    97c3cc1c42fb7427256c5d7938d3e8f21fd98cce8d327adf10244291d3c68ee9

  • SHA512

    f947a8c3fa068577162dcb85d0051cdeca4915e28197b2d91dd7c52e078ed43e1ec013554eab87cec588a1faf9c9fb2175ac792a6a664601e0ca614a438eb092

Malware Config

Extracted

Family

alienbot

C2

http://zeus45-3.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

Processes

  • wwbthkwyq.ubeefrquxp.aecrjqdaz
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:5048
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/oat/x86/GIQ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json

    Filesize

    630KB

    MD5

    bf4bbc648581b3799242cf186382777a

    SHA1

    d6587f4e863620edd7bb997bfc5ea616c9177e35

    SHA256

    892091b9491a52ba7d4c6c6fe6adb68e39e1e4fb48da689108bdb5353de22613

    SHA512

    6e51bc425e577ffaaa976f0cc3ef430244481200a37c6bca09fa7fb33e9802ed07a3d18ac49c50cfb033e19fd9d8668d32fccede3a3901e5fd32788f569b6929

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json

    Filesize

    630KB

    MD5

    9270824c8c898e998b3a7a21d9760bd1

    SHA1

    7b9e31c82a745f2cf55fad5edd69d1c73f69564e

    SHA256

    e7528f5c91259b0244e6585aa4f9dcdec2324ea99fdda45eeef72954d8b3bea6

    SHA512

    b5be04cde6e15aa4787bb822aa28dbc2ce68d021e81e387e4ff2700cb2f5b9399117728281de2ae9690011526f1dd19ab59fc4f58e29012d50d46c263c051ee9

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json

    Filesize

    630KB

    MD5

    103e109b06eb7df91a1b128567d7ae7b

    SHA1

    693e31d1c8f42347afbcd071b3dc44c77b2cb999

    SHA256

    9fecbd4bfaf8773dafde55e33e782651ba5a5d8e9edab0daf7fd673291773369

    SHA512

    6461f114769710e6d036bcbcd18d747093829d0fadefc233574228075cf4fe02e6fb3360f27379d18cdc6273b2bafff276fda30a3c54f3890b89384846354bea

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json

    Filesize

    630KB

    MD5

    9270824c8c898e998b3a7a21d9760bd1

    SHA1

    7b9e31c82a745f2cf55fad5edd69d1c73f69564e

    SHA256

    e7528f5c91259b0244e6585aa4f9dcdec2324ea99fdda45eeef72954d8b3bea6

    SHA512

    b5be04cde6e15aa4787bb822aa28dbc2ce68d021e81e387e4ff2700cb2f5b9399117728281de2ae9690011526f1dd19ab59fc4f58e29012d50d46c263c051ee9

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/GIQ.json.x86.flock

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/oat/GIQ.json.cur.prof

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/oat/x86/GIQ.odex

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • /data/user/0/wwbthkwyq.ubeefrquxp.aecrjqdaz/app_DynamicOptDex/oat/x86/GIQ.vdex

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e