Analysis
-
max time kernel
1842866s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20220310-en -
submitted
16-06-2022 18:45
Static task
static1
Behavioral task
behavioral1
Sample
28c11bb998bf8c023a212c6518b4f8219c8583c2e79fc87d76be6fcad51b522f.apk
Resource
android-x86-arm-20220310-en
Behavioral task
behavioral2
Sample
28c11bb998bf8c023a212c6518b4f8219c8583c2e79fc87d76be6fcad51b522f.apk
Resource
android-x64-20220310-en
Behavioral task
behavioral3
Sample
28c11bb998bf8c023a212c6518b4f8219c8583c2e79fc87d76be6fcad51b522f.apk
Resource
android-x64-arm64-20220310-en
General
-
Target
28c11bb998bf8c023a212c6518b4f8219c8583c2e79fc87d76be6fcad51b522f.apk
-
Size
4.9MB
-
MD5
92891906b5842b1daac01661731116b9
-
SHA1
53ff2b0a928fda3439d188c9b7d2f989f7e93eec
-
SHA256
28c11bb998bf8c023a212c6518b4f8219c8583c2e79fc87d76be6fcad51b522f
-
SHA512
0b5f95a0c2022953c8ccf65808c976ea54718495952a115d557098443dc7509d419fe2c5255f05795a057061cf64bf69479c349a8361e7f4950325dc7344feb0
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot Payload 3 IoCs
Processes:
resource yara_rule /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json family_flubot /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json family_flubot /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json family_flubot -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
-
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
extend.dress.sincedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId extend.dress.since Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId extend.dress.since Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText extend.dress.since -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
extend.dress.since/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/extend.dress.since/app_DynamicOptDex/oat/x86/BeJsupe.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json 5308 extend.dress.since /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json 5365 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/extend.dress.since/app_DynamicOptDex/oat/x86/BeJsupe.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json 5308 extend.dress.since -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
extend.dress.sincedescription ioc process Framework API call javax.crypto.Cipher.doFinal extend.dress.since
Processes
-
extend.dress.since1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:5308 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/extend.dress.since/app_DynamicOptDex/BeJsupe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/extend.dress.since/app_DynamicOptDex/oat/x86/BeJsupe.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:5365
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e2993d2a3cd519c197e808c18750fd07
SHA122d1cc1b7db89f1dfc1892a954778399ac903005
SHA2567cfd37d111f15e729ad5d9bd8c831771e2157d68808e51ec2470437087636c73
SHA5127ea089e7169b574e8d8ff524d0f9742f1eee6e901a2dc9fb92d3160b517db46cebe7b4549ab250426560d27227eba57780e0cd3bdae63b3e3dc5070f5ae6ac0f
-
Filesize
1.5MB
MD540bc23344a0f46f04cf0533ae12c86b4
SHA14330aa71cc6bce9eac084368d207f1aeeabbec50
SHA256e89d9804064dfff2a9890e595825a3074f88ffcbfe7c21800a9464d2aa9ab832
SHA512e2e32639b3080412ee5a4f898c7ed8f422e854bd8e759402d21eb2620333a60170f80e21998dbe3e2ec652a3c7dc1ff8528c52d5df7a95a35046811b752d4f45
-
Filesize
1.5MB
MD53e7d7af34d3504f26ca435e0cf106313
SHA1d369bca4ec601a934969bb69909cd04c7ef526a7
SHA2565502f89b316171cfa3c79aba4b6729c859e84f328a7f6535ec67fb13b2294b50
SHA512c6728241a5dba91c843771489ddc6b73619307c467089da1d4317b24852f008f62aa72b31ff3b691af68688cf46eea381517a5ef2907e7e67739bf2c7fa45efb
-
Filesize
1.5MB
MD540bc23344a0f46f04cf0533ae12c86b4
SHA14330aa71cc6bce9eac084368d207f1aeeabbec50
SHA256e89d9804064dfff2a9890e595825a3074f88ffcbfe7c21800a9464d2aa9ab832
SHA512e2e32639b3080412ee5a4f898c7ed8f422e854bd8e759402d21eb2620333a60170f80e21998dbe3e2ec652a3c7dc1ff8528c52d5df7a95a35046811b752d4f45
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e