Overview

overview

10

Static

static

6

76aae1533f...74.apk

android-9-x86

10

76aae1533f...74.apk

android-10-x64

10

76aae1533f...74.apk

android-11-x64

10

Analysis

  • max time kernel
    2533628s
  • max time network
    66s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    23-12-2023 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174.apk

  • Size

    3.5MB

  • MD5

    beeec17e265835b9dfc76f076664fdfd

  • SHA1

    480d53259e0950af363236f289166edca189a742

  • SHA256

    76aae1533f1aca39631fe0a053338850966815e808332ce67ea3c0b4cd85a174

  • SHA512

    f10b45b2949cf98d45518cc5f82f88c13ea64388f179295ef63428c0764ad617347ad30f7d8f7248fff076f580c5f78aa63f42f807227ab05cbee68dc0ba489a

  • SSDEEP

    49152:EUHKPS8aJluK5r1f0LRf7XMISsO0zjoK80obeW/9X16z2yrrH7MdBylHZIFW6B:6GP3bsf78Kzjo8SeWZwz2yLC106B

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://asayratermalhotel.xyz

rc4.plain

Extracted

Family

alienbot

C2

http://asayratermalhotel.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • garlic.picnic.hungry
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4221
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/garlic.picnic.hungry/app_DynamicOptDex/oat/x86/toMxiA.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4246

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/garlic.picnic.hungry/app_DynamicOptDex/oat/toMxiA.json.cur.prof
    Filesize

    489B

    MD5

    5340edf7b15956efdde6087ae39403fe

    SHA1

    c1feca3b29c56d8e0a5c1c8ab2bbb8f179010a8c

    SHA256

    f139c4723931ae087741141bd469636f9f0de15cf0cc5cd04f82c3c2859419dd

    SHA512

    c30e4602cef2ec889bb7c9146e7696832e1c0f7c3a95b688cec1bfd8f7fa3f2930c3f514d00d19517ae6b763a279e5955e9db88de1cce588c5107ff773c1246b

    Download Submit

  • /data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json
    Filesize

    483KB

    MD5

    a96ec73a6993ae5accddf47675ac5ca7

    SHA1

    63937376378c3fade65c3dd544bfc59d9a7850fd

    SHA256

    772ca1b6b3231c91284f0e64187a47315ff5a3b81decac76600dd30b3b303e4b

    SHA512

    77eac3a89d4985c11286c3d46fa60d057eca907c0bbfe23291aa67c671fb0b023572768152ebadc7c7a97fca93eb1a8674a737ef405d77f2fbb6acdf49dcc7d6

    Download Submit

  • /data/data/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json
    Filesize

    483KB

    MD5

    7f9182268a63ef30c1ccca408a37ace8

    SHA1

    71d54110c93e7cc9038376dd0a0b6267d58577b2

    SHA256

    9872e545d5d52bbe812541012ec6b22696850c3d15d8827ec73f18708ae1b03e

    SHA512

    400bb73b828dd9f745fbd5f03770e6fb3db8466083477879f8da8c96e5aecd8b306654ee82d879de8a1b36b755c965fdf66942a9753b90e79a5977aa4adf09f9

    Download Submit

  • /data/user/0/garlic.picnic.hungry/app_DynamicOptDex/toMxiA.json
    Filesize

    483KB

    MD5

    8f4d492f4893d92086d06a0806ef40d1

    SHA1

    df5327a43bd8e0b3a604abe25b075a2491349383

    SHA256

    c7297159bbc9592ceb716557ca93b245ada4aaa78231e69384881755f890dcc2

    SHA512

    eda22971c34531f88e863a856620b7ff01d695ebc44fe4d0b07d06b665cf85cf06776ce4e82b69862089f049fd8c4fe698b3a6959703b0fa3966446e75af4ff9

    Download Submit