Analysis

  • max time kernel
    2458162s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    20-12-2023 08:51

General

  • Target

    983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598.apk

  • Size

    2.2MB

  • MD5

    95cfd5efd2526e4166849004b357effe

  • SHA1

    e57518888c1e20a71cfd9e3fb41f04dc6fd066b7

  • SHA256

    983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598

  • SHA512

    d5059df8b04d5b91c2afcddf92f531db82ee7bd65d73273ae6625252605589acd29ffc2b443fe9438e2b9d3ddeb1d63a3c27187f66383e1faf115ad90d0ed032

  • SSDEEP

    49152:iHujnsSVC4tvraZm6dyNJipahpdUvs8W4Vbr+34opM:Q8Np2ZSkarSVWz0

Malware Config

Extracted

Family

alienbot

C2

http://ukalasey2.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 5 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

Processes

  • ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    PID:4982

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json

    Filesize

    767KB

    MD5

    2bc89aade90294152d7ea29e36ac48e9

    SHA1

    4d1e4ca7044e97798aa88eb6829e3664dc41628b

    SHA256

    34fe80e5af092d641e11e042f7aec42f9b68231959c113e28c801741c18ce211

    SHA512

    ad0a3b986677910e77e5466f8d5b4eb4255e5ec313283f3dadc22458382971f1416114df51d400a27ff8de0eb6c0a79977ccbe6b665c5fa8c71f7074336914ef

  • /data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json

    Filesize

    767KB

    MD5

    d4d6d0f4cbfe76d620ced317c2240137

    SHA1

    f62e5ac2e1f388b074907da335979acc4abb2919

    SHA256

    1e968ee9b7a194c662b4fab586c6ed7139101b742b22258b7580012a420483bc

    SHA512

    312c16a82c21d1d2a7e013352d4ffbc039de27f6b680898e2c72e8d9395d9e28a77006d678b99a99649a4abecf089dbb8be304accb9286f1830086b6b32cdbb6

  • /data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/oat/GXsTi.json.cur.prof

    Filesize

    380B

    MD5

    81f5afa074470eb7146e447c903865fa

    SHA1

    39a71a971787eb3d88972adf541ce15088fdd03a

    SHA256

    d0b3f13f9d238b42c7944535fa2145443167387c11d75e81bce31057473835e8

    SHA512

    9cb407ca2727090b5705e4014ad1e060ce8bb23c0fd8db8989afd293c5f315cd1b002c4a10753988bfc48f8dba48b32b09c129523c2afae3704b52bda3e61db1