Analysis

  • max time kernel
    155s
  • max time network
    134s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    16-03-2024 22:10

General

  • Target

    cf326fbe332f899b85f210dbee70dbca.apk

  • Size

    3.4MB

  • MD5

    cf326fbe332f899b85f210dbee70dbca

  • SHA1

    835ff482e4c037e8f5aa66bcf6dc4ac83abea6a0

  • SHA256

    1122a8215822a30c43ad684be7a2c8e4e4733d12b7e5a3aea4b570dc807ce8f1

  • SHA512

    f7c9227cd1e9b92a960c027fe998aa191ee31e0898d27ffeeba05e6c4b20aaf3c87fbe3be5e915c37f041ec36d190c89e7a75125b75558caf499f130d4df6f79

  • SSDEEP

    98304:c+RoZL1TRC1xLRffffTeipEXg/B0aLkjyn05Bv0azfkj:c+RoF1TRWlT2Xg/LYyn05Bsifw

Malware Config

Extracted

Family

alienbot

C2

http://mysqlsystem.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

Processes

  • spot.mistake.apart
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4456

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json

    Filesize

    725KB

    MD5

    8a31b0ea54e8991589f79d8a52d5552e

    SHA1

    bca8c0129e19757094a04e1d2e32511f9395af96

    SHA256

    f43a4ddd98a94712f15b813dd2b48b1b1aaebfd201f51cfc918e9e81125c287c

    SHA512

    09ef9e9e10e897a924e7f9a5c8b4ffb8d2723408136e28b4026f704dd3f7f5a33d0ac3b17c5687b284fcd9fdded8bf42d49ad56c472c86ca6a16ddbd486a08d6

  • /data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json

    Filesize

    725KB

    MD5

    7dbc3f9c9f85779869e8a4ea0c2a9780

    SHA1

    ffc759d8c5e0fe8b9e72f4224b4c07e7c70e8bd9

    SHA256

    4343c7feefd68663faabaeaf8d65220c2545f136bd86064f50e1e14ecdd4e9c2

    SHA512

    17e01545edd1edcb911b460c7c5dc330e0a9d8c48af2f9346cbfeb61b399c37f5bbe2f0a4bb6644f61f2446c2141471a3ecdec55cd14a3c20c301095559b018d

  • /data/user/0/spot.mistake.apart/app_DynamicOptDex/oat/Xk.json.cur.prof

    Filesize

    336B

    MD5

    63b645f03c28260eefd63f63bfc862a2

    SHA1

    cc801cc088aa33a0a74ddafdc1cbaff74b40ce8a

    SHA256

    71027a6a458e69e59838f651354de8b5263754846ec236a7bcc77e5e05234c19

    SHA512

    5e9a9c5beb7dd2276ad76f6717c51ade6d4c8cf7c89d1d35c8b80cc512eacd52079da337103840bc5198f8780140b0fec46ca15a862741ffeef5b36cdae3807a