Analysis
-
max time kernel
3675380s -
max time network
151s -
platform
android_x64 -
resource
android-x64-arm64-20231215-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system -
submitted
31-12-2023 06:27
Static task
static1
Behavioral task
behavioral1
Sample
2bb048ef6c2ae453237650763f4ee065.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
2bb048ef6c2ae453237650763f4ee065.apk
Resource
android-x64-20231215-en
General
-
Target
2bb048ef6c2ae453237650763f4ee065.apk
-
Size
3.1MB
-
MD5
2bb048ef6c2ae453237650763f4ee065
-
SHA1
eeb2a442ef58b2f3abeae720f15bc5058924ccd0
-
SHA256
83934375e68f23ced6f95e54354577f2fa3278b7098b28687f5c38f2ace053f5
-
SHA512
d78a1c6ead06aeb33b6cca7d5a339583bab49f338ad42e233d13773248c6434a9f5b3f23a68f8fa79160c4c35141e1f02f5a2b2f34ff15babe24f8237268b893
-
SSDEEP
98304:MTQpH215uQA20mL96k4Ri/RQKPAt2IZ8U0:MTYmAQA2rL9eipbPAtQ
Malware Config
Extracted
alienbot
http://abindizzobremin.ml
Extracted
alienbot
http://abindizzobremin.ml
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
Processes:
resource yara_rule /data/user/0/wave.stuff.pulse/app_DynamicOptDex/Ddq.json family_cerberus -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
wave.stuff.pulsedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId wave.stuff.pulse Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId wave.stuff.pulse -
Processes:
wave.stuff.pulsepid process 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse 4614 wave.stuff.pulse -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
wave.stuff.pulseioc pid process /data/user/0/wave.stuff.pulse/app_DynamicOptDex/Ddq.json 4614 wave.stuff.pulse /data/user/0/wave.stuff.pulse/app_DynamicOptDex/Ddq.json 4614 wave.stuff.pulse -
Acquires the wake lock 1 IoCs
Processes:
wave.stuff.pulsedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock wave.stuff.pulse -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
wave.stuff.pulsedescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS wave.stuff.pulse
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
714KB
MD5e8309eea51709d161239f8cfa8204c9d
SHA1257e7328925eefb9611c26202383e1654ecad4ba
SHA256492cc934a34ed821f3d518772a492bdea99899232fcce4635cb139c12d3bc0a7
SHA5122e4aa4ff63823bde4de6c6ffdfdbcc1526cea48881b695cba4c7d5d0741fbcd38013280e0d1dbb31bbcc508d14e8638b984d60e89706761de658e06c109e9244
-
Filesize
714KB
MD5108c3fb48bea8fc93701ac7365c8785b
SHA18de749424b3a763aad2ab19ef860b6c38b3bd2a1
SHA25632f827fc435d6c28701e2ab7ce4f29402727a5a42e4a359470c4b434aac3f358
SHA5124fbb914dd966068fed365cee0ee7fcbc0be1e52bd82cb4f4404583a9a3f79efed6cd3453e95bbdfb4b78bbc93e40f60771594eed5464c47d1a16a5b053d565aa
-
Filesize
352B
MD5582d2b2ce7f2a6714f788f6b0a00edee
SHA1be1a491841d2b119d6e38670c005c0c08770389a
SHA25631bdc3c56d21c75fc28dedd21f2376c8bf8ed839312f4add7f212991e34ecc94
SHA5128971c9e347b984941a4bf685b208231815d81c7080523dde77e22320f15c1de56039eaf035bde19bf49263a0e482b25864da183f9cb04dde9613e85fcce008a4