alienbot | d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078

Analysis

max time kernel
3056253s
max time network
139s
platform
android_x86
resource
android-x86-arm-20231023-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
submitted
09-11-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078.apk
Size

2.4MB
MD5

97b271ea24a9a983d381bf6f43df4e77
SHA1

04ea7bb813711a257949e64621f6110c2a0f3ba1
SHA256

d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078
SHA512

cd0c32a7c1f80723d224f7ee17fbff0c8d8903616795a047bc425a9e09cc6c6504d37b2ec303ed791a98ed2c559097ebfec7646b81d062af3a1a524e00e24987
SSDEEP

49152:rq0nLgpDpZ4lXrfXVCw5KvGEgXqV/W68dqPHONkhLCivXr/+d4+daP9KDQNrqMgE:bLgQXLXjoXexOlLCivXr26Om8Q1BgE

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://androidplayprotect.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 4 IoCs

Processes:

resource	yara_rule
/data/data/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	family_cerberus
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	family_cerberus
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	family_cerberus
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

pid process

4244 zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

pid	process
4244	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/oat/x86/rlbxJMZ.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	4244	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	4270	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/oat/x86/rlbxJMZ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	4244	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Removes a system notification. 1 IoCs

evasion

Processes:

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4244
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/oat/x86/rlbxJMZ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4270

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/oat/rlbxJMZ.json.cur.prof

Filesize
459B

MD5
195f6365429f6907d9506f7156d73ff4

SHA1
37e6aadf8290c0098f63657415ec7d48e38452c1

SHA256
392a5703978b4c3c91b2b434d375a657d946ef351a18f628bdf9ef7167894004

SHA512
d0bafb55414ad4c82a4aa88de8304ea89e4c23a4d6a099ea07ee3c0ef39267b77bfc81375dc7347ef455956714c2e270855aaa2be0069d8044250b250dcec168

Download Submit
/data/data/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
94ed43749f0815cd8769018d6e46d52b

SHA1
95d9b6e732ca90727e53ad19d4b99f7bdd1f4492

SHA256
3c552dd49bf935458d7ac3e572d8f037b25b02b0c06ff4722a42c240fd87dd7c

SHA512
bce3f79133f5829156088e25be5f8a337b7beb3ca33d118aa6a7c59bbbb2f100de5e73359924475189a376976f842ac2f93ca2415c7e356b1a470af58eebff73

Download Submit
/data/data/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
27a5a50873485a2e84f38d359984d649

SHA1
427e537f7c5fe14f879446fbc5a58784e962605a

SHA256
41aa003e3ebabba60f2afb82cfa57de2a68d4c618a63e5645b33bf871880e45e

SHA512
f64ecdcbe12a01cf2f586cd4b2b689e89be2f854a8c8f87e97fbcaf1a9bb5a0cd9365041f52f21af845e53164f332a0f9ed00a356a97985dc6f0323e0521d78f

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit