Overview
overview
10Static
static
709c28d864e...ad.apk
android-9-x86
1009c28d864e...ad.apk
android-10-x64
1009c28d864e...ad.apk
android-11-x64
10about1d.html
windows7-x64
1about1d.html
windows10-2004-x64
1about2d.html
windows7-x64
1about2d.html
windows10-2004-x64
1app.2d89045a.js
windows7-x64
1app.2d89045a.js
windows10-2004-x64
1app.html
windows7-x64
1app.html
windows10-2004-x64
1app_get_version.html
windows7-x64
1app_get_version.html
windows10-2004-x64
1aps-mraid.js
windows7-x64
1aps-mraid.js
windows10-2004-x64
1bakchat_privacy.htm
windows7-x64
1bakchat_privacy.htm
windows10-2004-x64
1base.js
windows7-x64
1base.js
windows10-2004-x64
1error.js
windows7-x64
1error.js
windows10-2004-x64
1home.html
windows7-x64
1home.html
windows10-2004-x64
1index.html
windows7-x64
1index.html
windows10-2004-x64
1jquery-history.js
windows7-x64
1jquery-history.js
windows10-2004-x64
1jquery-res...min.js
windows7-x64
1jquery-res...min.js
windows10-2004-x64
1jsbridge.js
windows7-x64
1jsbridge.js
windows10-2004-x64
1libwbsafeedit_64
ubuntu-18.04-amd64
Analysis
-
max time kernel
3400876s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20231023-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system -
submitted
13-11-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad.apk
Resource
android-x86-arm-20231023-en
Behavioral task
behavioral2
Sample
09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad.apk
Resource
android-x64-20231023.1-en
Behavioral task
behavioral3
Sample
09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad.apk
Resource
android-x64-arm64-20231023-en
Behavioral task
behavioral4
Sample
about1d.html
Resource
win7-20231023-en
Behavioral task
behavioral5
Sample
about1d.html
Resource
win10v2004-20231023-en
Behavioral task
behavioral6
Sample
about2d.html
Resource
win7-20231020-en
Behavioral task
behavioral7
Sample
about2d.html
Resource
win10v2004-20231020-en
Behavioral task
behavioral8
Sample
app.2d89045a.js
Resource
win7-20231023-en
Behavioral task
behavioral9
Sample
app.2d89045a.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral10
Sample
app.html
Resource
win7-20231025-en
Behavioral task
behavioral11
Sample
app.html
Resource
win10v2004-20231023-en
Behavioral task
behavioral12
Sample
app_get_version.html
Resource
win7-20231023-en
Behavioral task
behavioral13
Sample
app_get_version.html
Resource
win10v2004-20231020-en
Behavioral task
behavioral14
Sample
aps-mraid.js
Resource
win7-20231023-en
Behavioral task
behavioral15
Sample
aps-mraid.js
Resource
win10v2004-20231025-en
Behavioral task
behavioral16
Sample
bakchat_privacy.htm
Resource
win7-20231020-en
Behavioral task
behavioral17
Sample
bakchat_privacy.htm
Resource
win10v2004-20231020-en
Behavioral task
behavioral18
Sample
base.js
Resource
win7-20231023-en
Behavioral task
behavioral19
Sample
base.js
Resource
win10v2004-20231023-en
Behavioral task
behavioral20
Sample
error.js
Resource
win7-20231023-en
Behavioral task
behavioral21
Sample
error.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral22
Sample
home.html
Resource
win7-20231020-en
Behavioral task
behavioral23
Sample
home.html
Resource
win10v2004-20231025-en
Behavioral task
behavioral24
Sample
index.html
Resource
win7-20231020-en
Behavioral task
behavioral25
Sample
index.html
Resource
win10v2004-20231023-en
Behavioral task
behavioral26
Sample
jquery-history.js
Resource
win7-20231023-en
Behavioral task
behavioral27
Sample
jquery-history.js
Resource
win10v2004-20231025-en
Behavioral task
behavioral28
Sample
jquery-resizable.min.js
Resource
win7-20231023-en
Behavioral task
behavioral29
Sample
jquery-resizable.min.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral30
Sample
jsbridge.js
Resource
win7-20231020-en
Behavioral task
behavioral31
Sample
jsbridge.js
Resource
win10v2004-20231020-en
Behavioral task
behavioral32
Sample
libwbsafeedit_64
Resource
ubuntu1804-amd64-20231026-en
General
-
Target
09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad.apk
-
Size
3.4MB
-
MD5
f88c7b5245048b8ec686069d09e51b4e
-
SHA1
fb0b1e93c3e9bef83e23dcfa4f7f344daeaacd4d
-
SHA256
09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad
-
SHA512
a8c9f4b8546fc93ac4711fd8b3dd8e64c200575a680f99eedc824361599726a9fab182482a8f1fc7ad308fcb830dadedfa7d916b31b4dccfac99f8630121b8d5
-
SSDEEP
49152:OzlRn+EDrtUJsVhHYqS8Vog3VVYEAGFBt5m0jXi3LX5zZk0xGKWY6FM41mMkL+X2:OzlZ7DrtM5q9zYRGFQ8XiT5FkgsQ+m
Malware Config
Extracted
alienbot
http://heycock333.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 4 IoCs
Processes:
resource yara_rule /data/data/impact.flight.hobby/app_DynamicOptDex/kmjXC.json family_cerberus /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json family_cerberus /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json family_cerberus /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json family_cerberus -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
impact.flight.hobbydescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId impact.flight.hobby Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId impact.flight.hobby -
Processes:
impact.flight.hobbypid process 4257 impact.flight.hobby -
Acquires the wake lock. 1 IoCs
Processes:
impact.flight.hobbydescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock impact.flight.hobby -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
impact.flight.hobby/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/impact.flight.hobby/app_DynamicOptDex/oat/x86/kmjXC.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json 4257 impact.flight.hobby /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json 4283 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/impact.flight.hobby/app_DynamicOptDex/oat/x86/kmjXC.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json 4257 impact.flight.hobby -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
impact.flight.hobbydescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS impact.flight.hobby -
Removes a system notification. 1 IoCs
Processes:
impact.flight.hobbydescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag impact.flight.hobby
Processes
-
impact.flight.hobby1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4257 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/impact.flight.hobby/app_DynamicOptDex/oat/x86/kmjXC.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4283
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
622KB
MD55627f76b92fda448488b6f9fb167b835
SHA174f541fa5e1d426f3bb82454334f00d34f7f95c6
SHA256197f023072033f2788068cdd4499d32177d57b88c6f8b925c5bdd64fba34220a
SHA512d5fc43137dbeb77a65b67d39cd4268d56b8c91f2c9973c796aeea04c627368919481669728b859741ac7af1776bc34ccf9bf153a1abe047f6a8e6dbb24060c2a
-
Filesize
622KB
MD585dbcb13f7578dc1ffc8295208846f14
SHA119923aaa392d629af94889b6e8538086716f97dd
SHA25624f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe
SHA51242b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8
-
Filesize
490B
MD5389860e589de3767aa2bbc35c1688625
SHA1b1b0b75352bac49c60be31f73ee56bbe2f03b9c5
SHA25639faa2ac05ef2a68d36bb4cedb2e951cfed686a7c097da66f5194a57324c921c
SHA51214f4835f6ce5bc14ca855961a2d8c79dc062c55c443ff5042602e5d4d879d7a60f45c6a2ff78f70fbd799a9ac062272c036975d171d037599810f07c51a70011
-
Filesize
622KB
MD585dbcb13f7578dc1ffc8295208846f14
SHA119923aaa392d629af94889b6e8538086716f97dd
SHA25624f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe
SHA51242b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8
-
Filesize
622KB
MD58da2c05151a7f880cad3ae35e6203ec9
SHA1eca76ce37583f1482287eff5b47eb335d833e2e7
SHA256a56624379337f865467871c79e398ee067ec64032c4e377e1c4b8f3a484b7f2b
SHA512faae5e9c4cbfc6775b013ea2effb94ed3c15e2f0d126babd3d74edf526cc63b5980e499ac66ad0d6e7fe47defc10b84d026348cf56a4fbffeca343c3773586d3
-
Filesize
622KB
MD585dbcb13f7578dc1ffc8295208846f14
SHA119923aaa392d629af94889b6e8538086716f97dd
SHA25624f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe
SHA51242b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8