alienbot | d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078

Analysis

max time kernel
3056216s
max time network
168s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
09-11-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078.apk
Size

2.4MB
MD5

97b271ea24a9a983d381bf6f43df4e77
SHA1

04ea7bb813711a257949e64621f6110c2a0f3ba1
SHA256

d4940401398aaeac4b523dca648577b1f39646f5942a19d62275df539afaa078
SHA512

cd0c32a7c1f80723d224f7ee17fbff0c8d8903616795a047bc425a9e09cc6c6504d37b2ec303ed791a98ed2c559097ebfec7646b81d062af3a1a524e00e24987
SSDEEP

49152:rq0nLgpDpZ4lXrfXVCw5KvGEgXqV/W68dqPHONkhLCivXr/+d4+daP9KDQNrqMgE:bLgQXLXjoXexOlLCivXr26Om8Q1BgE

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://androidplayprotect.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 3 IoCs

resource	yara_rule
behavioral3/files/fstream-2.dat	family_cerberus
behavioral3/memory/4339-0.dex	family_cerberus
behavioral3/memory/4339-1.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Removes its main activity from the application launcher 8 IoCs

stealth trojan

pid	Process
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json	4339	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb

zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4339
- getprop ro.miui.ui.version.name
  2⤵
  PID:4436
- getprop ro.miui.ui.version.name
  2⤵
  PID:4558
- getprop ro.miui.ui.version.name
  2⤵
  PID:4683
- getprop ro.miui.ui.version.name
  2⤵
  PID:4715
- getprop ro.miui.ui.version.name
  2⤵
  PID:4758
- getprop ro.miui.ui.version.name
  2⤵
  PID:4795
- getprop ro.miui.ui.version.name
  2⤵
  PID:4821

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/oat/rlbxJMZ.json.cur.prof

Filesize
333B

MD5
d5ed041f69b8acd0701e23356e73d150

SHA1
a399bb9927188d304390f3479ed0a71a90f967a5

SHA256
5de8bac5726d95a1f744a8d66ea0c6e6f66a2874e21ed0cf7d3a63f185751d4d

SHA512
19508f910a692a78649d1c088c77fabc1cc91af49eaf16cba57d76323883e0f072451d88409028ca3fada307beff73e7831e6eafa6a7697e46eeaf6e8f56e818

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
94ed43749f0815cd8769018d6e46d52b

SHA1
95d9b6e732ca90727e53ad19d4b99f7bdd1f4492

SHA256
3c552dd49bf935458d7ac3e572d8f037b25b02b0c06ff4722a42c240fd87dd7c

SHA512
bce3f79133f5829156088e25be5f8a337b7beb3ca33d118aa6a7c59bbbb2f100de5e73359924475189a376976f842ac2f93ca2415c7e356b1a470af58eebff73

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit
/data/user/0/zjfklmwhkzlm.ejrpibkfullinntk.osjpmnjjbkzdheqjueb/app_DynamicOptDex/rlbxJMZ.json

Filesize
673KB

MD5
aad1c304c9388c9be1982ea100161c30

SHA1
546dbe1713151ec62ee42d27701bc8d1417c425c

SHA256
2ab80dd9f16a135754a6fb4916d3485ebc26b174efad9b8719ad106d48b58b79

SHA512
7e4ade85719b58bfe0daaf2a1cf4629a65fc1414149b39cbd7cfa9c37835f7fa2bd236b4af24ac7db7a77d9260b40af08dc55e7c16ffd13dae6a4edb3f294d3e

Download Submit