Analysis
-
max time kernel
4030867s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
-
submitted
09-01-2024 22:01
General
-
Target
6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e.apk
-
Size
3.3MB
-
MD5
c87881f61bc910d3ea2f3d4a5d1a5441
-
SHA1
443205431f54a41558d92d930e0c18787f2fe85f
-
SHA256
6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e
-
SHA512
bfa1df7da152b498503e30ee78d6ed557b752a629dc11402674580c895489b4ae87c18376c87fa73693dfb80e92cb7cc150a362d28edf4b4d3d36932619b8602
-
SSDEEP
98304:q4p3pFvQy78F2y/xLDoMu2wYIromgnWRC:q41F784y/hxuXBrgWRC
Malware Config
Extracted
alienbot
http://guiopl.ga
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 2 IoCs
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Removes its main activity from the application launcher 1 IoCs
-
Checks Android system properties for emulator presence. 1 IoCs
-
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes
-
twice.wheat.ceiling1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/oat/x86/WFnOKW.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
688KB
MD59f0aaa55342abf6283c6153130ac57b3
SHA13680269cfc230c72c7c89ba5aafb58b7d30a55fc
SHA25606cf80e5e582fcc9c2cc062f7916712fd49fb972fbfaae8b8c81fd56e9de4d62
SHA51261251b09c3f652c6d4bf48ec66be5a00e44f3a7c59594ab27cd0520eee75af5f2e3680602eac3c22a154d1740ad7a8a0a2366ed6fc9ba1a82c4dc05da78864a5
-
Filesize
688KB
MD5058be3b4f353d6743b9a40b5a093755e
SHA172e26de59bb09d3704665bf61a144f823d5b5a6d
SHA256426aecdeef82dac72b65d72472bbc90882ae3eb40808e19e93730c42d7b40c5f
SHA5126e402bcc8391f59096a0e75707f0a847f8889b34b57b50fefdfcdcc97ba3a0388618cfe0c34505492e56aafbd43aab3367a7a21a8e56e3459208d1f9acdd4cca
-
Filesize
422B
MD565f1e397055b8e47d31662cd1f8f4042
SHA18fba6ce2e9faa6ec638eac217e16b07727beafc3
SHA2569ce195e732b9cec587681bf40f7c49024d6df83c8f3d37de946d9f6e53eaaac5
SHA512d2c0a51c6926896cc02a818bbaff0a747e18406f3d2caac473f960397eba42867c77520a02f7553d26891f452f939c9780c35a778eea477439092d32fc9f3825
-
Filesize
688KB
MD5aa6397374904894ee4ca43b059bb12dd
SHA1e53558d9d49719b16ce7f8e83093582f2680f3e3
SHA2566565102ee39fc07281f735e1f026205501ae2266abff4148bee3ec4a623f1843
SHA5128bb033b17a5edfc29e9b1616b7a46dfa8a46e8b4b4004fc9bd84b91f56953a6dcad02bb72ac869206ac6adf7d5a8970d142c384142d42c90b3ecb20b8d26a20f