flubot | 34d3338408dfd8244ba7ee655f558f0e06e0982cb76584f88707f6d0bdcf6a2c

General

Target

34d3338408dfd8244ba7ee655f558f0e06e0982cb76584f88707f6d0bdcf6a2c.apk
Size

2.6MB
MD5

6a7e746ade78143f4ca2a7a4ce33f250
SHA1

452abfbc77dc37780b571d0ce4f623ac960d89ff
SHA256

34d3338408dfd8244ba7ee655f558f0e06e0982cb76584f88707f6d0bdcf6a2c
SHA512

d4a82b20a5acf601e36b2c1abcdc1a6275a6baca43746e4a7f525368f1db5e699369efe1c0656172f962b44bb4c2f421bf526d0466e24f094af623e10d546245

Score

10^/10

flubot banker discovery infostealer ransomware suricata trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip	family_flubot
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip	family_flubot

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata

Makes use of the framework's Accessibility service. 1 IoCs

Processes:

com.dailyyoga.cn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dailyyoga.cn

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&com.dailyyoga.cn

ioc	pid	process
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip	5237	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip	5123	com.dailyyoga.cn

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.dailyyoga.cn

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.dailyyoga.cn

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.dailyyoga.cn

com.dailyyoga.cn
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:5123
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5237

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/MultiDex.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.3MB

MD5
39812f8a3904906708d41d7d476f4e43

SHA1
105dc5aa6eedaa92c88f88862c507703905f75f6

SHA256
52787b54942f7c485817970ec6d2ee2c7e99c437e0ee17aaca00efde3e7b447e

SHA512
78fe45be46faffbff9ce7433000479a01d2fd60ba4551124f8541953596dd8ea6d26f65902a6c85fc34a1f377cd4e52bcba3cdc2f25d516ebc25eb518892ef09

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2.3MB

MD5
fe87e5323fc5d40f23aa1955d4c5a37b

SHA1
38eb427ab9e25a1b3dbff0ce47ba9165b3b898a0

SHA256
3679c31a8555cf5a7d9c3fa7ed3c7fa6eb14cc03e72b20d6061c77379a52e054

SHA512
4c8d2526d50d60491b39aa29366d0df9bbeef1d14b2f4c4877d64fc0af7c745c1a1c5ba250f94ac924e18dc3960b5889116edcc29539f3b93cdb13754aa9fddd

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/base.apk.classes1.zip.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.dailyyoga.cn/code_cache/secondary-dexes/tmp-base.apk.classes8419277019307144269.zip

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.dailyyoga.cn/shared_prefs/multidex.version.xml

Filesize
305B

MD5
3149fd6cf958614eb8355306c4fe6750

SHA1
5babcb07e68c3b981c5310a87c52d58717e6f652

SHA256
30820985bd2084c79b4231ff09b9d136f8bc4d69466bb08db55a867eacc3d8ed

SHA512
0e8d0f53ba8731ae5ae2fdfc9cef8104a4285a5a3b051292edea608d284129fb451531a496970dfce2b283ed03e78122aa0ed2be635683d99da592eaf239116f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads