Analysis
-
max time kernel
3761807s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
06-01-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
46fdb068ce8eda8fce387134a4fd4172.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
46fdb068ce8eda8fce387134a4fd4172.apk
Resource
android-x64-20231215-en
General
-
Target
46fdb068ce8eda8fce387134a4fd4172.apk
-
Size
3.3MB
-
MD5
46fdb068ce8eda8fce387134a4fd4172
-
SHA1
2f56a65676d377f552a86a4482ee1bf104d05b09
-
SHA256
8e168f31f3bf0564d11b01e180d301f41e3582a89efc5ca15ed40a402c0ca3dd
-
SHA512
e34acb562bbda4702da6f83bd6c4b79aea02a0b982d8a88aadf298db27bb524220b8b7be17cddffa78f662f93d95dac118b77fe831e669a158387cdcce72ec06
-
SSDEEP
49152:Hsjwrl65NLyheuX0HK/tYhZRpfO9uDtIlhf7Ln0LmeDfb6iIZtiXvDyUhVEtRGML:K5N+hbf6d3to7eme2GxhVURGAyznop
Malware Config
Extracted
alienbot
http://34.89.151.222
Extracted
alienbot
http://34.89.151.222
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_cerberus behavioral1/memory/4239-1.dex family_cerberus -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId half.soap.civil Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId half.soap.civil -
pid Process 4239 half.soap.civil -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json 4239 half.soap.civil /data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json 4266 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/half.soap.civil/app_DynamicOptDex/oat/x86/OCWRke.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json 4239 half.soap.civil -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock half.soap.civil -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS half.soap.civil
Processes
-
half.soap.civil1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4239 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/half.soap.civil/app_DynamicOptDex/oat/x86/OCWRke.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4266
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5ed34f7a0b358db36436688a8482a9186
SHA1650e5ac5783db6c4fe003d9e1e1af72735e44982
SHA2567f40fee4c6842559da50b7e7cbb45e17737f0290525058e4c348792bf500aaaa
SHA5128e124ebca6ac5cc498dd21297f2faf7038ab7693d6dda2fb0e8445d68d1011e0d39cae02d6951f90f42db35c846ea45a8f28c86177c979a300a95096a83e7236
-
Filesize
704KB
MD5e02f74e213e4248fa71e725cb89ef152
SHA17144708ce00d81fc10f6f1f3b3430ac61b351aa9
SHA2564bb01aa0d64e90f69106ebfd760f57ee5864aed39f3d7f6bcfc9f013032424df
SHA512dfd54f7fdba8945ff81a78a4c42e6f5d5691792809f9ff615708fcd398b8d42023f93825d3fde71a41c9f7207304cb183b02760e85a1294436f83b238c75f586
-
Filesize
508B
MD56655a96a530e956630a6b504f1f15511
SHA171a85c9f6cd69737d304ffb3c8d3cb2fa9e17a87
SHA25672f915def7d797d09c7c5a16fc8539201e7ee86b3b10ac80f7b56b81554a36e6
SHA512747ba0516633b9ddeb6365ac4380fbd8677906b97f05944cdb3db79a0f4ecf20280c8edc657d65de97299c1b03648649a23db945fe552ed27d544ac7c801ec7d
-
Filesize
704KB
MD5d8e2f1a8b552a25a90586cb66d8ee94b
SHA1ccdd0ca1210baeb824c20a0b0a78e181b48efd11
SHA256697e71584f53118f9f5d7f35e550687a50aa050e2e2927ad847068e0c7be6adc
SHA512368996fb30961a0ecd536584478bf1f97f828b285fc426f9e5a7ed127c9ce17d57ca38e65f4f02c6fd681692f4398209940ee27b64c6f9259b4f889d7dba7c61