Analysis
-
max time kernel
1957300s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
16-12-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.apk
Resource
android-x64-20231215-en
General
-
Target
76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.apk
-
Size
3.5MB
-
MD5
beeec17e265835b9dfc76f076664fdfd
-
SHA1
480d53259e0950af363236f289166edca189a742
-
SHA256
76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174
-
SHA512
f10b45b2949cf98d45518cc5f82f88c13ea64388f179295ef63428c0764ad617347ad30f7d8f7248fff076f580c5f78aa63f42f807227ab05cbee68dc0ba489a
-
SSDEEP
49152:EUHKPS8aJluK5r1f0LRf7XMISsO0zjoK80obeW/9X16z2yrrH7MdBylHZIFW6B:6GP3bsf78Kzjo8SeWZwz2yLC106B
Malware Config
Extracted
alienbot
http://asayratermalhotel.xyz
Extracted
alienbot
http://asayratermalhotel.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
Processes:
resource yara_rule /data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json family_cerberus /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json family_cerberus -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
garlic.picnic.hungrydescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId garlic.picnic.hungry Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId garlic.picnic.hungry -
Processes:
garlic.picnic.hungrypid process 4213 garlic.picnic.hungry -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
garlic.picnic.hungry/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/x86/toMxiA.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json 4213 garlic.picnic.hungry /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json 4239 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/x86/toMxiA.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json 4213 garlic.picnic.hungry -
Acquires the wake lock 1 IoCs
Processes:
garlic.picnic.hungrydescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock garlic.picnic.hungry -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
garlic.picnic.hungrydescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS garlic.picnic.hungry
Processes
-
garlic.picnic.hungry1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4213 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/x86/toMxiA.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4239
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455B
MD5d709cfaaa59e09b5797aeca69275f659
SHA1bdbbd03d8ad97a4788c3bafedf7faddfa17b7d36
SHA2562f4f83ec1de25632ea3947a4b49fb602e0b2d268e73b05fc2cc3ce4f9b3b1f79
SHA512f0b91f8fa06508f8bc68d867dade088a26d5402d0aabcf5d59b2f41146f444ccfe6f4209eff142a48d4d050fa950d445fd05434237f72170a6adaa52cb5c14c1
-
Filesize
483KB
MD5a96ec73a6993ae5accddf47675ac5ca7
SHA163937376378c3fade65c3dd544bfc59d9a7850fd
SHA256772ca1b6b3231c91284f0e64187a47315ff5a3b81decac76600dd30b3b303e4b
SHA51277eac3a89d4985c11286c3d46fa60d057eca907c0bbfe23291aa67c671fb0b023572768152ebadc7c7a97fca93eb1a8674a737ef405d77f2fbb6acdf49dcc7d6
-
Filesize
483KB
MD57f9182268a63ef30c1ccca408a37ace8
SHA171d54110c93e7cc9038376dd0a0b6267d58577b2
SHA2569872e545d5d52bbe812541012ec6b22696850c3d15d8827ec73f18708ae1b03e
SHA512400bb73b828dd9f745fbd5f03770e6fb3db8466083477879f8da8c96e5aecd8b306654ee82d879de8a1b36b755c965fdf66942a9753b90e79a5977aa4adf09f9
-
Filesize
483KB
MD58f4d492f4893d92086d06a0806ef40d1
SHA1df5327a43bd8e0b3a604abe25b075a2491349383
SHA256c7297159bbc9592ceb716557ca93b245ada4aaa78231e69384881755f890dcc2
SHA512eda22971c34531f88e863a856620b7ff01d695ebc44fe4d0b07d06b665cf85cf06776ce4e82b69862089f049fd8c4fe698b3a6959703b0fa3966446e75af4ff9