Analysis

  • max time kernel
    3400876s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20231023-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
  • submitted
    13-11-2023 22:00

General

  • Target

    09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad.apk

  • Size

    3.4MB

  • MD5

    f88c7b5245048b8ec686069d09e51b4e

  • SHA1

    fb0b1e93c3e9bef83e23dcfa4f7f344daeaacd4d

  • SHA256

    09c28d864e89a2686f821d6ec76897620f25113dd954d061eaba74580d7aaaad

  • SHA512

    a8c9f4b8546fc93ac4711fd8b3dd8e64c200575a680f99eedc824361599726a9fab182482a8f1fc7ad308fcb830dadedfa7d916b31b4dccfac99f8630121b8d5

  • SSDEEP

    49152:OzlRn+EDrtUJsVhHYqS8Vog3VVYEAGFBt5m0jXi3LX5zZk0xGKWY6FM41mMkL+X2:OzlZ7DrtM5q9zYRGFQ8XiT5FkgsQ+m

Malware Config

Extracted

Family

alienbot

C2

http://heycock333.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 4 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Removes a system notification. 1 IoCs

Processes

  • impact.flight.hobby
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/impact.flight.hobby/app_DynamicOptDex/oat/x86/kmjXC.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/impact.flight.hobby/app_DynamicOptDex/kmjXC.json

    Filesize

    622KB

    MD5

    5627f76b92fda448488b6f9fb167b835

    SHA1

    74f541fa5e1d426f3bb82454334f00d34f7f95c6

    SHA256

    197f023072033f2788068cdd4499d32177d57b88c6f8b925c5bdd64fba34220a

    SHA512

    d5fc43137dbeb77a65b67d39cd4268d56b8c91f2c9973c796aeea04c627368919481669728b859741ac7af1776bc34ccf9bf153a1abe047f6a8e6dbb24060c2a

  • /data/data/impact.flight.hobby/app_DynamicOptDex/kmjXC.json

    Filesize

    622KB

    MD5

    85dbcb13f7578dc1ffc8295208846f14

    SHA1

    19923aaa392d629af94889b6e8538086716f97dd

    SHA256

    24f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe

    SHA512

    42b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8

  • /data/data/impact.flight.hobby/app_DynamicOptDex/oat/kmjXC.json.cur.prof

    Filesize

    490B

    MD5

    389860e589de3767aa2bbc35c1688625

    SHA1

    b1b0b75352bac49c60be31f73ee56bbe2f03b9c5

    SHA256

    39faa2ac05ef2a68d36bb4cedb2e951cfed686a7c097da66f5194a57324c921c

    SHA512

    14f4835f6ce5bc14ca855961a2d8c79dc062c55c443ff5042602e5d4d879d7a60f45c6a2ff78f70fbd799a9ac062272c036975d171d037599810f07c51a70011

  • /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json

    Filesize

    622KB

    MD5

    85dbcb13f7578dc1ffc8295208846f14

    SHA1

    19923aaa392d629af94889b6e8538086716f97dd

    SHA256

    24f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe

    SHA512

    42b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8

  • /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json

    Filesize

    622KB

    MD5

    8da2c05151a7f880cad3ae35e6203ec9

    SHA1

    eca76ce37583f1482287eff5b47eb335d833e2e7

    SHA256

    a56624379337f865467871c79e398ee067ec64032c4e377e1c4b8f3a484b7f2b

    SHA512

    faae5e9c4cbfc6775b013ea2effb94ed3c15e2f0d126babd3d74edf526cc63b5980e499ac66ad0d6e7fe47defc10b84d026348cf56a4fbffeca343c3773586d3

  • /data/user/0/impact.flight.hobby/app_DynamicOptDex/kmjXC.json

    Filesize

    622KB

    MD5

    85dbcb13f7578dc1ffc8295208846f14

    SHA1

    19923aaa392d629af94889b6e8538086716f97dd

    SHA256

    24f996feac74ebaa2f9467af2b32e713388d1a6a28419300d6b6a07d66854dfe

    SHA512

    42b6efd59263f7bc5e52ee32b333e05179d099691fb6fc9fae85fada132ac24a4450f33057abaa5e68fc7f9a5a5f96df8621705858fb029cf6fca2692d0a7bf8