Analysis

  • max time kernel
    3675380s
  • max time network
    151s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    31-12-2023 06:27

General

  • Target

    2bb048ef6c2ae453237650763f4ee065.apk

  • Size

    3.1MB

  • MD5

    2bb048ef6c2ae453237650763f4ee065

  • SHA1

    eeb2a442ef58b2f3abeae720f15bc5058924ccd0

  • SHA256

    83934375e68f23ced6f95e54354577f2fa3278b7098b28687f5c38f2ace053f5

  • SHA512

    d78a1c6ead06aeb33b6cca7d5a339583bab49f338ad42e233d13773248c6434a9f5b3f23a68f8fa79160c4c35141e1f02f5a2b2f34ff15babe24f8237268b893

  • SSDEEP

    98304:MTQpH215uQA20mL96k4Ri/RQKPAt2IZ8U0:MTYmAQA2rL9eipbPAtQ

Malware Config

Extracted

Family

alienbot

C2

http://abindizzobremin.ml

rc4.plain

Extracted

Family

alienbot

C2

http://abindizzobremin.ml

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 8 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

Processes

  • wave.stuff.pulse
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4614

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/wave.stuff.pulse/app_DynamicOptDex/Ddq.json

    Filesize

    714KB

    MD5

    e8309eea51709d161239f8cfa8204c9d

    SHA1

    257e7328925eefb9611c26202383e1654ecad4ba

    SHA256

    492cc934a34ed821f3d518772a492bdea99899232fcce4635cb139c12d3bc0a7

    SHA512

    2e4aa4ff63823bde4de6c6ffdfdbcc1526cea48881b695cba4c7d5d0741fbcd38013280e0d1dbb31bbcc508d14e8638b984d60e89706761de658e06c109e9244

  • /data/user/0/wave.stuff.pulse/app_DynamicOptDex/Ddq.json

    Filesize

    714KB

    MD5

    108c3fb48bea8fc93701ac7365c8785b

    SHA1

    8de749424b3a763aad2ab19ef860b6c38b3bd2a1

    SHA256

    32f827fc435d6c28701e2ab7ce4f29402727a5a42e4a359470c4b434aac3f358

    SHA512

    4fbb914dd966068fed365cee0ee7fcbc0be1e52bd82cb4f4404583a9a3f79efed6cd3453e95bbdfb4b78bbc93e40f60771594eed5464c47d1a16a5b053d565aa

  • /data/user/0/wave.stuff.pulse/app_DynamicOptDex/oat/Ddq.json.cur.prof

    Filesize

    352B

    MD5

    582d2b2ce7f2a6714f788f6b0a00edee

    SHA1

    be1a491841d2b119d6e38670c005c0c08770389a

    SHA256

    31bdc3c56d21c75fc28dedd21f2376c8bf8ed839312f4add7f212991e34ecc94

    SHA512

    8971c9e347b984941a4bf685b208231815d81c7080523dde77e22320f15c1de56039eaf035bde19bf49263a0e482b25864da183f9cb04dde9613e85fcce008a4