Analysis
-
max time kernel
144s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
13-03-2024 09:42
Static task
static1
Behavioral task
behavioral1
Sample
c58cb2d542178830e7d1a52227116256.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
c58cb2d542178830e7d1a52227116256.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
c58cb2d542178830e7d1a52227116256.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
c58cb2d542178830e7d1a52227116256.apk
-
Size
3.4MB
-
MD5
c58cb2d542178830e7d1a52227116256
-
SHA1
741f00d6ea8150d2baa39f27ca74c867284f993b
-
SHA256
59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85
-
SHA512
36461b81c8dbb3fd5e3ded0d948a58b0f61e96753d4525fa0ce7671bef62078aeb69a292ccbf65071394d7bbec3277a3cec257a892f253cc86558bcb1c6d5657
-
SSDEEP
98304:4BoZZDIoNryzla4dBh1TL4bXmB4lAKW+PMTb721:4BoLIoYlHdBh1TLCXmB4l1Wr+1
Malware Config
Extracted
alienbot
http://34.141.27.218
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_cerberus behavioral1/memory/4269-1.dex family_cerberus -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId glove.resist.bring Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId glove.resist.bring -
pid Process 4269 glove.resist.bring -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json 4269 glove.resist.bring /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json 4294 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/glove.resist.bring/app_DynamicOptDex/oat/x86/XSAyu.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json 4269 glove.resist.bring -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS glove.resist.bring -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS glove.resist.bring
Processes
-
glove.resist.bring1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4269 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/glove.resist.bring/app_DynamicOptDex/oat/x86/XSAyu.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4294
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
708KB
MD5bea250ccba37ddcf3b0017e8731ce3a9
SHA1bfd2e049b89dfb856ee8e7425ad8aa82409fd144
SHA25604af61af06f512f39157a4aa3a200d0cf83f5985639837fdf87abe18f4d38699
SHA51285604f40c8b84b2123721648a849660e723d87fef26aa250e2d0ac35c433d912d48addc32e0aeed4c74e294780c43a84e5a19aaa7eceb30ab87a7261137d2848
-
Filesize
708KB
MD5cc0be1e0e8d8e477fcc17b3b0888953e
SHA179f8d1fbbcb54c34f3642289e9f10eeee696efbe
SHA2562a4e4e568eb7eba81075ed151763466d6505a4cb9ee9e447f373eb1a40bc1bc7
SHA5122982a62c5949e72d4dabd143a1ed305f532811f4ff2cb78bf54a2e04c47c38164cb6183e92e8d01c2b7a416e5fb1b7749cd2be0be7dfa7c1b1a8bbe0756ab9ce
-
Filesize
485B
MD547b68ab3b097174aa08bc259c62c8a69
SHA189a181690204818ffdfc01cb4e4dc14779d453df
SHA256090bb13dc8e1ac3054ae9a584184bebeb98f6def1af465701f439fdac0ead090
SHA5120710bd9a9cb2408598a5e09d6f2172683a9285ba61f95cda5a0bdec249c3a74d2bb9109f62a5ea24d56766e3a802f9f15ae9afc32630876b4a1d9740a9d7e3d8
-
Filesize
708KB
MD5c80ab914d8587d9c3acc31807e8359c7
SHA1858e9e79cfe8cf4d05a2dad8e24d44c9980003d6
SHA256fef7f83b50a0e96ed4f3260f54e8dabaac5790430a718e2ca035e297f6f2ccf0
SHA512f635e4e1f1c39d03b8782fdfc5f9712d1e383837711528ccdf8193e42cd8ec841dec798b95cc7fb1497fcaadc8d983ec3023233e28d3ad825600e938a57079b9