Analysis
-
max time kernel
2458162s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20231215-en -
resource tags
androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system -
submitted
20-12-2023 08:51
Static task
static1
Behavioral task
behavioral1
Sample
983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598.apk
Behavioral task
behavioral2
Sample
983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598.apk
Resource
android-x64-20231215-en
General
-
Target
983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598.apk
-
Size
2.2MB
-
MD5
95cfd5efd2526e4166849004b357effe
-
SHA1
e57518888c1e20a71cfd9e3fb41f04dc6fd066b7
-
SHA256
983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598
-
SHA512
d5059df8b04d5b91c2afcddf92f531db82ee7bd65d73273ae6625252605589acd29ffc2b443fe9438e2b9d3ddeb1d63a3c27187f66383e1faf115ad90d0ed032
-
SSDEEP
49152:iHujnsSVC4tvraZm6dyNJipahpdUvs8W4Vbr+34opM:Q8Np2ZSkarSVWz0
Malware Config
Extracted
alienbot
http://ukalasey2.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral2/files/fstream-2.dat family_cerberus -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm -
pid Process 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm /data/user/0/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json 4982 ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767KB
MD52bc89aade90294152d7ea29e36ac48e9
SHA14d1e4ca7044e97798aa88eb6829e3664dc41628b
SHA25634fe80e5af092d641e11e042f7aec42f9b68231959c113e28c801741c18ce211
SHA512ad0a3b986677910e77e5466f8d5b4eb4255e5ec313283f3dadc22458382971f1416114df51d400a27ff8de0eb6c0a79977ccbe6b665c5fa8c71f7074336914ef
-
Filesize
767KB
MD5d4d6d0f4cbfe76d620ced317c2240137
SHA1f62e5ac2e1f388b074907da335979acc4abb2919
SHA2561e968ee9b7a194c662b4fab586c6ed7139101b742b22258b7580012a420483bc
SHA512312c16a82c21d1d2a7e013352d4ffbc039de27f6b680898e2c72e8d9395d9e28a77006d678b99a99649a4abecf089dbb8be304accb9286f1830086b6b32cdbb6
-
/data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/oat/GXsTi.json.cur.prof
Filesize380B
MD581f5afa074470eb7146e447c903865fa
SHA139a71a971787eb3d88972adf541ce15088fdd03a
SHA256d0b3f13f9d238b42c7944535fa2145443167387c11d75e81bce31057473835e8
SHA5129cb407ca2727090b5705e4014ad1e060ce8bb23c0fd8db8989afd293c5f315cd1b002c4a10753988bfc48f8dba48b32b09c129523c2afae3704b52bda3e61db1