Analysis
-
max time kernel
21s -
max time network
162s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
10-03-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk
-
Size
1.5MB
-
MD5
ffa54751315a246d14b966230632a6d7
-
SHA1
2e7549273d71654567dae8b71270e5ad50fc93db
-
SHA256
c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2
-
SHA512
6df02db6a7c23ef59e5c0800e97f4c5399f617bb5ca3e2fcc3d5723105b99f28a946b7c45bafe1501b53e4f62b9380467198a0c02d8a40d13c0c13fb79e4f1f0
-
SSDEEP
24576:Ff6RGkqHcKx4SpCMSe7vkVMSv3g/+BnZ67IOtNKeTMxg7Hnu:FfqGkq8enpPSeK3bZoIOtNKeQa7Hu
Malware Config
Extracted
eventbot
http://pub.welcometothepub.com/gate_cb8a5aea1ab302f0_c
http://marta.martatovaglieri.it/gate_cb8a5aea1ab302f0_c
Signatures
-
EventBot
A new Android banking trojan started to appear in March 2020.
-
Makes use of the framework's Accessibility service 2 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
Processes:
com.d06fd321.f177b304e2c0.ae3ca3f4description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.d06fd321.f177b304e2c0.ae3ca3f4 -
Processes:
com.d06fd321.f177b304e2c0.ae3ca3f4pid process 5032 com.d06fd321.f177b304e2c0.ae3ca3f4 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.d06fd321.f177b304e2c0.ae3ca3f4ioc pid process /data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar 5032 com.d06fd321.f177b304e2c0.ae3ca3f4 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.d06fd321.f177b304e2c0.ae3ca3f4description ioc process Framework API call javax.crypto.Cipher.doFinal com.d06fd321.f177b304e2c0.ae3ca3f4
Processes
-
com.d06fd321.f177b304e2c0.ae3ca3f41⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jarFilesize
46KB
MD59ffa20cbdb632e72222bdf2d1c89bdbb
SHA12f41f99b936b1fd0382452b175d9e2e0f70ae4df
SHA256b3a0692eddbb3a03a3913904d16b2d5bf335264efa494171840eaf50c683a76d
SHA512829a9f8967ab363a54ecb8dd4dc303ba6f15b7e8d10323ccca3e82ba4df01d46e9f5c23015971df14483b50eec4e88b4af4deb2d27c9523f4ad4da3b0c323124
-
/data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jarFilesize
113KB
MD5929bc0f1e14c153be1dbe6ad1bc84b9e
SHA19ffdd62b369aa4ce9c6ac6964059e3107f817d36
SHA256b13b1a1d4c156147af1f8dae31f7bfaa7f509d27ecb190a4d033bbd7faac145e
SHA5128f4b94c3177b4356bc960f7364beeaaf81845a5bc38d2bbdb4ac84365bb05e3e9ba8cecbaf97aa20249f4133280f058e0cd2813825f4555a2e35eb5766b0c392