Overview

overview

10

Static

static

7

0422433a6c...63.apk

android-9-x86

10

0422433a6c...63.apk

android-10-x64

10

0422433a6c...63.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    2252865s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    11-09-2023 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0422433a6cea4da9fa32db2410144f406f01eec5ff5915b2b8c192ec3639b363.apk

  • Size

    2.1MB

  • MD5

    e40024f930c3f19b89b0f0639e3e048c

  • SHA1

    44255903ab77c97c9de06e7a52921593cdb89483

  • SHA256

    0422433a6cea4da9fa32db2410144f406f01eec5ff5915b2b8c192ec3639b363

  • SHA512

    326d8facbbd82b6eeac70a04ab5cbc3426a5e5242d4edf3dd49109e75742838cd0edb7e4018ca82321cc72f086fcff33d106805628d5f370df97fea5b70b0fcc

  • SSDEEP

    49152:L6pmUQoDTrOiCFPA2gL0J0801VBUf2cRqcl1dIpkJ8Rp5/0xNew:1ULrOiCFAM2cyMy/0PR

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://limit-tanimlama.net

rc4.plain

Extracted

Family

alienbot

C2

http://limit-tanimlama.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
    banker
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.supply.oil
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4157
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.supply.oil/app_DynamicOptDex/oat/x86/GybLWWK.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4183

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.supply.oil/app_DynamicOptDex/GybLWWK.json
    Filesize

    238KB

    MD5

    10a6e436b0bee31a9f2ed74b4d6a50b7

    SHA1

    0360f72ad2b82c42da703114162d8b4566613481

    SHA256

    087fd075a58880efd16d03724740416bf331634a3bffce2af075172f709837fe

    SHA512

    6b62579a92291baf3844eb4747eb2a05024f4283bb35906aa415b265b3f008a87a159c89890b1f7ba4789d87125c1e92c6fde75408209a3d1872f9b1b8c014e5

    Download Submit

  • /data/data/com.supply.oil/app_DynamicOptDex/GybLWWK.json
    Filesize

    238KB

    MD5

    784200c45e8d5ec0e504d4e09cb8fc87

    SHA1

    d4c2d36a6e328a28108cf4cdd3bae967f65369b3

    SHA256

    05514060c89e27fae692115142f190dc10e39060d21a0e9523da6cf684d5a84f

    SHA512

    476cbaa17406636f20cf23062c69902d57f0199a053e556cb15ad6f0c3b5722ab9b5ddf81b38b9cc2754c162b8050cd20a6250793af60507600c23dc35050a0c

    Download Submit

  • /data/data/com.supply.oil/app_DynamicOptDex/oat/GybLWWK.json.cur.prof
    Filesize

    496B

    MD5

    aa6d3c116bce67f99cffbba57da8060f

    SHA1

    c78eb0cc79d91eddb499008d6fa1da4c6b11068b

    SHA256

    840a18a7f0bf63b87625c8a6e2b79d15f060fdcd287ed1dd461948c7a3a0e1ca

    SHA512

    26043d488742ee4eb3c576901d931963083b7100cb289d42794b4783d6b4f3c1615fe5bf800970d449eeff10da5e9738e9a151e8b981d5ef1ceeb4a2fa7dae1d

    Download Submit

  • /data/data/com.supply.oil/app_DynamicOptDex/oat/GybLWWK.json.cur.prof
    Filesize

    570B

    MD5

    6bc3ae3d1feddfdacc7d42441bad1e6d

    SHA1

    adbc0922cd787e9663a1fde22a8826a70f12eb18

    SHA256

    0cf878dd4b9cb49d25c09106f58d6aa11a7d3a6dff667f5b772d8b81a520e787

    SHA512

    e60d2429ec0760680f4bb58d78076c1b36e091f0964141fcf3f7d777cc844fa033ba16bf3c29fc4934b07a70cf6519c2290ff49bbeded0c767d1af227c57a304

    Download Submit

  • /data/data/com.supply.oil/app_apk/ring0.apk
    Filesize

    946KB

    MD5

    a73f108dc1b655252c7e45e5df04d4f6

    SHA1

    8459f380f7ef684e393c4408f7f4ee58c99147c4

    SHA256

    c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62

    SHA512

    8f84e47b367fb35a073a31cf41422edccbde99ee126cb37d2df0bddae5e8ca0f5df4d6221930548bfd216f583b2885485d764fd58f73d6a14b9a697b66c58dc4

    Download Submit

  • /data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json
    Filesize

    483KB

    MD5

    cf459b6c69fd95bfe859df508a897d87

    SHA1

    aaf71eb5eb9324237c3122ab1881896f1094a96a

    SHA256

    3573db041490e45385c8feeef231f0c9ce098816a4661bec02a09d6ca14d37dd

    SHA512

    f7c852c5d5a3ddfc272a763895e5071d9195f1495af822a59bf21ce1abc7d7a652b88c736a682cbb54590a3a2bf731505736ed3be13d9d2e738ff5d43607f0d3

    Download Submit

  • /data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json
    Filesize

    483KB

    MD5

    013a804a457ce0c5e63f4003bd15c301

    SHA1

    1dd06b6d8465833e012c9cc070d63844b176ef6a

    SHA256

    5ee7fd2974b8ba94491cd02575da34d60affe0228ae5a30ad478d820e0226663

    SHA512

    a121e0a32bf0eebf9239b8e52d6efb1df4655c0c11314bf08620897431c1d297019caf4122acb73ced329552460770afcc4464d13199b928290b6180a3963fcb

    Download Submit