Overview

overview

10

Static

static

7

1b51293002...64.apk

android-9-x86

10

1b51293002...64.apk

android-10-x64

10

1b51293002...64.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    776962s
  • max time network
    146s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    14-10-2023 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64.apk

  • Size

    2.1MB

  • MD5

    e66ac604e5898c0e639db52ca8258b17

  • SHA1

    d03e3c798a5cc7b8f3f3b521dae119a932d4fb2e

  • SHA256

    1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64

  • SHA512

    18de30f7aec32792165b90cad8792ea2946e45616e889a507288a55f1a6dbd9c680a6ca3ef776158685f683f588f3dbd0382c7ab0a1193a502af42eee7bc9b96

  • SSDEEP

    49152:DCU2f145StuFvk2bPEGX69oMfYi0Z0J0801gLzr1k6Dcl1dIpkJaavh/7c5L/Rng:af19EFswMGAff1kyM4Vlw

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://23.88.40.50

rc4.plain

Extracted

Family

alienbot

C2

http://23.88.40.50

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.cattle.way
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4163
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.cattle.way/app_DynamicOptDex/oat/x86/efyrx.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4191

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
    Filesize

    238KB

    MD5

    f3985de7f85cf76cfa98e6c1e0477c61

    SHA1

    fed6b8d0fd062b72b031fcb2c65dd0eeda29326c

    SHA256

    77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87

    SHA512

    94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8

    Download Submit

  • /data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
    Filesize

    238KB

    MD5

    b5c02c909a7078df281f55ca9e60af8a

    SHA1

    03068e95674919cdbc49a289b2b33b668dff6a40

    SHA256

    a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a

    SHA512

    a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9

    Download Submit

  • /data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof
    Filesize

    487B

    MD5

    a008c2c74b313e135961c3e3cf7a69d4

    SHA1

    1d5cb51d6faa3f82ce856667bc6a18bcab459bb2

    SHA256

    5cb96cdbd1b19e1f8055e95b0210bc06165e423a77297d77bf7e1e435faa48db

    SHA512

    f50dd40d762e607242e3c97045145fd75cb3ae4f4eee293c761ada55071db9ccb0ba3034cc4310c150bab2c63c7ec302da07fd5ca1c6228f4157c6728b458b5e

    Download Submit

  • /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
    Filesize

    483KB

    MD5

    2c4612b37cde86d4f83519190d66d5b6

    SHA1

    cb754ec9cc0b9119e31b843e8eeb0660c40c4d81

    SHA256

    971148e5eb4e575e3f5ffcdf26a55e86cc94e64b508f740df8e1be7b66f9b44b

    SHA512

    7dbcc932b9f90a4d4a64737058a6230f7186b381a7f82ce2aa44db2d5ae130daa64b8624242ae5f83e36dd5e371f23cb4463d13c0717237090a39a814efce756

    Download Submit

  • /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
    Filesize

    483KB

    MD5

    cd5443f4f22b8a71f1d6aa4c9dc7b95d

    SHA1

    9044803662bf5b81c8181ed5cd92ec45974875db

    SHA256

    5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f

    SHA512

    c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d

    Download Submit