alienbot | 6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2

Analysis

max time kernel
2796369s
max time network
143s
platform
android_x86
resource
android-x86-arm-20231023-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
submitted
06-11-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2.apk
Size

1.7MB
MD5

4da61d6c27c249efc85620259be13bac
SHA1

b6956a721bf31f79cbd6d007bfab1ee16802c31d
SHA256

6bf19afb35a30eed664695da5da89cb40de5e48eea9a2d6c69b45bfcf91a47c2
SHA512

f7f758a5d932cb35ce5887d0e9b7c1b74e153bffae7d3fe2b0f444f184d286c2962330348a3d12a19343da76a030200f09404dd141010b7301b2433a7ddd00eb
SSDEEP

49152:ah2aDDwtJtw04TL9p/dimTuFAT5gK+rBXStFjUPzP:s2aHT0Ap/lTKyKVrBXl

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://orgulama.xyz

rc4.plain

Extracted

Family

alienbot

http://orgulama.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json	family_cerberus
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.sail.chuckle

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sail.chuckle
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sail.chuckle

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.sail.chuckle

pid process

4255 com.sail.chuckle
Acquires the wake lock. 1 IoCs

Processes:

com.sail.chuckle

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.sail.chuckle

pid	process
4255	com.sail.chuckle

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sail.chuckle

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sail.chuckle/app_DynamicOptDex/oat/x86/cX.odex --compiler-filter=quicken --class-loader-context=&com.sail.chuckle

ioc	pid	process
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json	4283	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sail.chuckle/app_DynamicOptDex/oat/x86/cX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json	4255	com.sail.chuckle

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.sail.chuckle

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.sail.chuckle
Removes a system notification. 1 IoCs
evasion

Processes:

com.sail.chuckle

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.sail.chuckle

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sail.chuckle

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.sail.chuckle

com.sail.chuckle
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4255
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sail.chuckle/app_DynamicOptDex/oat/x86/cX.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4283

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

Filesize
238KB

MD5
c7307504191c35338a1fb78c24c4c3a2

SHA1
e7603440cda762b908de3a79429203be9cf312f4

SHA256
b245f6ed1f2b14552828edbfd0a5e439e0d9e0b5ba754d180440d22886edc852

SHA512
dc761219e432b055c2bcf6ceaf5eedd002bfe9363c603e72695830614e6247d8b747b2213451bef4dbbb1127c3fae16f85abdaf9742419d68720946c85057646

Download Submit
/data/data/com.sail.chuckle/app_DynamicOptDex/cX.json

Filesize
238KB

MD5
2b87c8db8b321c64f38d0fc3ed10188d

SHA1
8c0271853633201883c10b82378ebc1b353c01b1

SHA256
4ac244b05b34d82fd620b4f6bf197d9fec53328c6a4e76d4d3925bbc3cd429fa

SHA512
a96cf84c308595131fbc09ebb5f8c3dc4e3e1fc7afd03ecb5a360630ed13b4d6c544abc517f6e70fa6614825e45d2062a952a77764ea3b96fe4cfbaa72583762

Download Submit
/data/data/com.sail.chuckle/app_DynamicOptDex/oat/cX.json.cur.prof

Filesize
488B

MD5
4bfaa3ee1e828e513889ad85ff2b45a1

SHA1
9fbee0e9b93dc7219c48c5f71d27df92e66adb11

SHA256
90b9d44e6bb5e7d2411a266683501610e277b0c2a35c483a45b46150045ca04c

SHA512
5a55cd4452db82d0eea690d369820ae534ff8eb50b052e29e83d7bb47d94391ed1af8f34d3434462734d2e4d8e5c0e350300de0e458f1d3a1e7e11191c90753c

Download Submit
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

Filesize
483KB

MD5
e18a5c9ce53a530ff9210dcad42fba24

SHA1
a4f960d6f5e5cfaf2276559370e0ef6a07bb7b7a

SHA256
d52e66c8e7e3ee19661ba640bf190d63847246ac8325528be2d078cf07fc59f2

SHA512
996ec35288147c28ac71b3487bfb300f9f34488000ef28eb36cd2ae9d20db97b3bf113cd62e35b1fb09515fa530f710d3c71a136b23433b1ca6b1e8dcb92b511

Download Submit
/data/user/0/com.sail.chuckle/app_DynamicOptDex/cX.json

Filesize
483KB

MD5
5a232af22aa6875cdac8abdba9d38fe8

SHA1
5031e7c9a0b8d98b4df574b49e55c5a26f89c8a5

SHA256
beab77a17d363c5d01cd9d66c39b8105d66254ae06478d9a5aea5840c428adb3

SHA512
a52ac23d8d8c0032c754b446bfe73d16c20e58498a74dbf4bab7637ebfef9cb38c1258e701bc2140c03f2b29a68dc933d8b2e2984e17b020f6135b736109fe9c

Download Submit