Analysis
-
max time kernel
3789076s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
-
submitted
26-12-2023 20:00
General
-
Target
8a9e2ecc89f8190eeda6a5574222d764.apk
-
Size
1.5MB
-
MD5
8a9e2ecc89f8190eeda6a5574222d764
-
SHA1
cbda65c114994affc4f0a87567398c0a11e42776
-
SHA256
1c530b6be1b94f43588b7a3cc3bf3c41b4ad5cc1c687ca6a64be628019d49f3c
-
SHA512
c02a92f23171221beaae3f75cb869947e9f661c6cd20cd1ead675e8ece1197234087cd1bf657e91094fe49295931197bad12f73e0596552e0682a65934cc084f
-
SSDEEP
24576:H547kbuQ7rkgnwIlnrfH/4w2TedoHNj/Ldz4iid2UurtNc3+FTrtIOk9RKgJ:zpnwI9rfH/3dWNrLdz40dRFvtIOk9oI
Malware Config
Extracted
alienbot
http://operolstels12.site
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 2 IoCs
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Removes its main activity from the application launcher 1 IoCs
-
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes
-
lcpratmbqgenqximrlium.akur.leidcbirxeoxjzldtcfmdruputm1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/lcpratmbqgenqximrlium.akur.leidcbirxeoxjzldtcfmdruputm/app_DynamicOptDex/lsAQxI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/lcpratmbqgenqximrlium.akur.leidcbirxeoxjzldtcfmdruputm/app_DynamicOptDex/oat/x86/lsAQxI.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
697KB
MD502d6e5c8c2337819ace0deabfa00916e
SHA1b8c87309d63960c6ff134a0c0c6244243be49efc
SHA2563bb6d4ac366b9c3e319b5cb9be1fd5b6d6f4a90aae6b86015b7322134b66bd67
SHA512f44d3d5c5bba50fdff5ed49179b2068edd95f26c452a5d7732df8bbfd78bd0387d579c6eca876ea5c76956f45b2028ffb9ab0c545842cb64cd7492ced684888a
-
Filesize
697KB
MD533dcd9ea315e89c4bca5a277ede79580
SHA1c5e3dfdb2457cbd7a017ea072b87d2a27fc44631
SHA25610b1f93f0ed459e9ae7d783e45589988dd1582db26a8bccf44d8e2e25f97a817
SHA5122459c321cfc895ba175e5ad539def3fdd358c9bd2bcfc8a67865ed2ee5c3afe8c60824bfa19b4ab45ac6ac3f6137809df1ba93b8d012b248cb7c6be8a2202c57
-
Filesize
474B
MD5ca101d561a4ec895995b21a4aeb84038
SHA13ef8d0b9edbf7c458c1630a91894807e4a119abe
SHA256aa637ec1edc3c5a450d4e267ea5bc880a2313984f37996b19948b8cd29fb0888
SHA512bbdc57e6c237f6d1de8fe605411dbf84f8c043ed5f17743d2a5da5bb9da675c86e41c690606caea248c2d7c090fbc4b7e271b714115f772147fea76efdb8bb7e
-
Filesize
697KB
MD5be6c3cc56ccd85aca86abf73d1320d71
SHA17541557f7b78a44b61656d2f9030d9ecd78a6293
SHA2566d373b2ba92e1b7a3ad48ed8739dac532230bc4ecc97e0042d289bb0a97d725c
SHA512b1dc2c7872592418ae422d73235cf25191f959d6b5a32c16575bc0c8ea8f9563bad2a1af3a6a0a0d27676d07b46b8e106b2bb281cf87d9be3127520142e800db