alienbot | 1b79a85c7baea1d71627c161fd562431ebcb54ac115387afafaae46b3e710f01

Analysis

max time kernel
871125s
max time network
154s
platform
android_x64
resource
android-x64-arm64-20230824-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
submitted
26-08-2023 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b79a85c7baea1d71627c161fd562431ebcb54ac115387afafaae46b3e710f01.apk
Size

2.2MB
MD5

c808dde8c007e07e8ebea155dfa4a81f
SHA1

d3b314615f6b8d41de6a31711b97f92e1448ca67
SHA256

1b79a85c7baea1d71627c161fd562431ebcb54ac115387afafaae46b3e710f01
SHA512

0d6d0bc8c9692ae6ed22f9e85965ae77c5f04692b9f8645c4eaf0e5c7a8a9a24a2f6ffcd9849e879eefee662017abc7e491468c19aad51fb4d07d05d794cb7f6
SSDEEP

49152:r2hxQOLwvclyPQWKJ+xVbBITjEzQ/9mH1XdTN2Wc/xitPZbj2ILLdSsNuS9fcQ35:r2hzwUwiyNITjEzQ/oH1XdTN2Wc/otPf

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi5698.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi5698.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.smoke.enjoy

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.smoke.enjoy
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.smoke.enjoy

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.smoke.enjoy

pid	process
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy
4464	com.smoke.enjoy

Acquires the wake lock. 1 IoCs

Processes:

com.smoke.enjoy

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.smoke.enjoy
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.smoke.enjoy

ioc pid process

/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json 4464 com.smoke.enjoy
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.smoke.enjoy

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.smoke.enjoy

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.smoke.enjoy

ioc	pid	process
/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json	4464	com.smoke.enjoy

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.smoke.enjoy

com.smoke.enjoy
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4464
- getprop ro.miui.ui.version.name
  2⤵
  PID:4625
- getprop ro.miui.ui.version.name
  2⤵
  PID:4855
- getprop ro.miui.ui.version.name
  2⤵
  PID:4887
- getprop ro.miui.ui.version.name
  2⤵
  PID:4919
- getprop ro.miui.ui.version.name
  2⤵
  PID:4948
- getprop ro.miui.ui.version.name
  2⤵
  PID:4984
- getprop ro.miui.ui.version.name
  2⤵
  PID:5017

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json

Filesize
238KB

MD5
da4df5472ee7d60d375d7b2384532c09

SHA1
883ceb91cc257d3a71ef28acde250f8782c43d62

SHA256
1fe0a42d41dc23a2d69a256df4f28f10a68c611fdaef1814a748bc8bdc1f7d4f

SHA512
d8a42b50e8c556208f8e9a230cccc6e72261163531c48c8b6e1c761c3ece7fcb7715600b5d509ebef31058c4b1bfe1c1f1d00769b3fc8905de9ce2eba54d97fa

Download Submit
/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json

Filesize
238KB

MD5
ba1d00d2dead6aff09ca8868176c214a

SHA1
21a6b341a3d01604a31c59ba6970b23f7438fb96

SHA256
d858c174a6c7c3ae2e4d57572a164e03dec4de8b1416863b046df4f8aa7c6285

SHA512
7a21b9c0f1201d017be895eb7e0c830a8d371e55955ca7f89ceda3875dbceae460ca689b072830cd9ba78076b3efad312ea6c5a36d2678ebb5d49357eb8d59f3

Download Submit
/data/user/0/com.smoke.enjoy/app_DynamicOptDex/YRqQ.json

Filesize
483KB

MD5
16cbed5f379e2684d42d83d908b86cd6

SHA1
14479585b1b6d0be1396534eef0def542cba36e0

SHA256
77d9296b571198d2093db4d25c5420f59ef5163e7e48e7edc27c1d7c5f487c37

SHA512
4d20146087daf65cd7902a40d38cda71af94c76608d7cb37df03b62c173c6db50ab8b0c3991cd8ea1bfcafed2d63d8f2384f7a6a66b749e2380d592b72447a06

Download Submit
/data/user/0/com.smoke.enjoy/app_DynamicOptDex/oat/YRqQ.json.cur.prof

Filesize
316B

MD5
9b29bf5f20a8e85c74b2ad64d037a103

SHA1
55516765fa3e7106cc6377a3e4ce06e6f57d3753

SHA256
db35d4751d79a74e7f3a4e95bcec70e386d8a227baecae255b2d8db5aecddf30

SHA512
ad18336609fddbb9d5347d933354ee75e00f74f1f9255209180607764c6043188c3908da84a2164aff7640ad1d3c1902a79959adfc5d83b38374e91258e721ad

Download Submit