Overview
overview
10Static
static
7cb43d09133...74.apk
android-9-x86
10cb43d09133...74.apk
android-10-x64
10cb43d09133...74.apk
android-11-x64
10android-su...v4.jar
windows7-x64
1android-su...v4.jar
windows10-2004-x64
1corejs.1.3.4.js
windows7-x64
1corejs.1.3.4.js
windows10-2004-x64
1libfolly_futures.so
ubuntu-18.04-amd64
libfolly_futures.so
debian-9-armhf
libfolly_futures.so
debian-9-mips
libfolly_futures.so
debian-9-mipsel
libjsijniprofiler.so
ubuntu-18.04-amd64
libjsijniprofiler.so
debian-9-armhf
libjsijniprofiler.so
debian-9-mips
libjsijniprofiler.so
debian-9-mipsel
libnative-...der.so
ubuntu-18.04-amd64
libnative-...der.so
debian-9-armhf
libnative-...der.so
debian-9-mips
libnative-...der.so
debian-9-mipsel
libreactnativeblob.so
ubuntu-18.04-amd64
libreactnativeblob.so
debian-9-armhf
libreactnativeblob.so
debian-9-mips
libreactnativeblob.so
debian-9-mipsel
Analysis
-
max time kernel
377750s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system -
submitted
09-10-2023 22:08
Static task
static1
Behavioral task
behavioral1
Sample
cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74.apk
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral4
Sample
android-support-v4.jar
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
android-support-v4.jar
Resource
win10v2004-20230915-en
Behavioral task
behavioral6
Sample
corejs.1.3.4.js
Resource
win7-20230831-en
Behavioral task
behavioral7
Sample
corejs.1.3.4.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral8
Sample
libfolly_futures.so
Resource
ubuntu1804-amd64-20230831-en
Behavioral task
behavioral9
Sample
libfolly_futures.so
Resource
debian9-armhf-20230831-en
Behavioral task
behavioral10
Sample
libfolly_futures.so
Resource
debian9-mipsbe-20230831-en
Behavioral task
behavioral11
Sample
libfolly_futures.so
Resource
debian9-mipsel-20230831-en
Behavioral task
behavioral12
Sample
libjsijniprofiler.so
Resource
ubuntu1804-amd64-20230831-en
Behavioral task
behavioral13
Sample
libjsijniprofiler.so
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral14
Sample
libjsijniprofiler.so
Resource
debian9-mipsbe-20230831-en
Behavioral task
behavioral15
Sample
libjsijniprofiler.so
Resource
debian9-mipsel-20230831-en
Behavioral task
behavioral16
Sample
libnative-imagetranscoder.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral17
Sample
libnative-imagetranscoder.so
Resource
debian9-armhf-20230831-en
Behavioral task
behavioral18
Sample
libnative-imagetranscoder.so
Resource
debian9-mipsbe-20230831-en
Behavioral task
behavioral19
Sample
libnative-imagetranscoder.so
Resource
debian9-mipsel-20230831-en
Behavioral task
behavioral20
Sample
libreactnativeblob.so
Resource
ubuntu1804-amd64-20230831-en
Behavioral task
behavioral21
Sample
libreactnativeblob.so
Resource
debian9-armhf-20230831-en
Behavioral task
behavioral22
Sample
libreactnativeblob.so
Resource
debian9-mipsbe-20230831-en
Behavioral task
behavioral23
Sample
libreactnativeblob.so
Resource
debian9-mipsel-en-20211208
General
-
Target
cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74.apk
-
Size
3.9MB
-
MD5
4e5b975596521d64b8f9ae1cbe4a9879
-
SHA1
64569d6caecae1cb0a7982bdcbaec104f99eb7d4
-
SHA256
cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74
-
SHA512
530b27bed6d9b06086d3b80347acbd73c3fabc3198fb53a35918a3222586b791adee1323132e0bffd6971c75ba31f2c966a5719956a5c840e4398a0f17311199
-
SSDEEP
98304:eqC/loKvtb7KA0mTsL6kr3dQf+AC7rjZRFJtYvw:eqC/e47lElLdC6rj7FJz
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 4 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_flubot behavioral1/memory/4148-0.dex family_flubot behavioral1/memory/4210-0.dex family_flubot behavioral1/memory/4148-1.dex family_flubot -
Makes use of the framework's Accessibility service. 3 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
pid Process 4148 com.tencent.mm -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin 4148 com.tencent.mm /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin 4210 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin 4148 com.tencent.mm -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mm -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4148 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4210
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58538cc53fd4119591abd013f06d128d1
SHA139baf7deeec73f5b121f828a01e1ebc8c048cee4
SHA256cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903
SHA51293cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b
-
Filesize
3.1MB
MD58538cc53fd4119591abd013f06d128d1
SHA139baf7deeec73f5b121f828a01e1ebc8c048cee4
SHA256cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903
SHA51293cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b
-
Filesize
3.1MB
MD5dd0d4d99c94877a69ddd9401239a66fb
SHA1eaf899526878b3142ed78ce91394afe290227041
SHA25683be8f048b2783af5632992bbca47424328a29055a889c8dde9ff663f0347b7f
SHA5126d385cb669c284878b399f7e14209bbd95aa1fa38f93b9596245758a1429443c66849bad286045d227e020ea934cf17f942684552513a0217950a9d40aa14424
-
Filesize
3.1MB
MD58538cc53fd4119591abd013f06d128d1
SHA139baf7deeec73f5b121f828a01e1ebc8c048cee4
SHA256cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903
SHA51293cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b