Analysis
-
max time kernel
4239842s -
max time network
148s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system -
submitted
04-10-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.apk
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral4
Sample
HM_JsBridge.js
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
HM_JsBridge.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral6
Sample
consentform.html
Resource
win7-20230831-en
Behavioral task
behavioral7
Sample
consentform.html
Resource
win10v2004-20230915-en
General
-
Target
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.apk
-
Size
2.3MB
-
MD5
790a877839ad17d80d1f94fcfe2dd120
-
SHA1
b226c72c841fa8bafb04b2911bdd68df1e2bf679
-
SHA256
e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566
-
SHA512
8b1fee85e6e00edecd157b3ff4716b1bd91c8d45bc844512a4028915fbeefc8d4fbc1937876436d042e862bc1a1b89c45ab4c3f5c2ecc723f6169f231446a082
-
SSDEEP
49152:rT6x9SnCg1KA9brb9LsEv8o8qh2U2T0J0801APuw/XbJEqXcl1dIpkJXRn5ZI:rTlC0Kmbrb9cEEPwjJEmMTZI
Malware Config
Extracted
alienbot
http://eklimitonay.online
Extracted
alienbot
http://eklimitonay.online
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
Processes:
resource yara_rule /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json family_cerberus /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json family_cerberus -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.swift.wrapdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.swift.wrap Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.swift.wrap -
Processes:
com.swift.wrappid process 4167 com.swift.wrap -
Acquires the wake lock. 1 IoCs
Processes:
com.swift.wrapdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.swift.wrap -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/x86/pFFJk.odex --compiler-filter=quicken --class-loader-context=&com.swift.wrapioc pid process /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json 4195 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/x86/pFFJk.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json 4167 com.swift.wrap -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.swift.wrapdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.swift.wrap -
Removes a system notification. 1 IoCs
Processes:
com.swift.wrapdescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.swift.wrap
Processes
-
com.swift.wrap1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4167 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/x86/pFFJk.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4195
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462B
MD5b31f0f9fb507566ff3910a34e79f1911
SHA12b8b557514c2e70da52b84ddb9d44e1ffd0d9d6b
SHA25649b5f8f9f4c677a27fbf697a74c3420f50d4b6bc0a593acd5d8e63e5622b7b5d
SHA51213dc191c41c96872dad603a82726aaa8179bd62bb361cb184bb54f1600a4349b5bcc58e57aa8ad33ea227f7cf52eceee96c397238a4b6e8f994d156147ead04c
-
Filesize
238KB
MD50219b6d26de9a569780bfc32d089ad79
SHA19fceddb0f5081cc5766c9d45960d7a1a15ff68fe
SHA25661c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9
SHA512a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e
-
Filesize
238KB
MD53f3a4f6cd15e01e61d5661f8331c0a34
SHA151c652dac5a7e722e80abff83ee2be3f964d789d
SHA256f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275
SHA512f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8
-
Filesize
483KB
MD541e439e3c62b9885f1dbd5934dde2949
SHA173ded2dacfe908dc8ed08a3535d0111d712501a3
SHA2565aae4163bcb5869a98f0fd358726b42076b58b30db4ee0e24951952a2ad8a6a0
SHA512e5b47ba9910f9ab6ded461dfc33dabe65d7ee2b6cdfced599c6ca126a4786391492ef514435e567e522932fac27bb425f1a54b7ca9ba8e2933e7d6d1e490a9a2
-
Filesize
483KB
MD53eb1657245e2ca6c42bbeafacf31f02a
SHA1b6b5ab7a1d86a3aca95133cda391d8e7cae42fae
SHA2562a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2
SHA512316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767