Overview

overview

10

Static

static

6

9e9b4280d0...18.apk

android-9-x86

10

9e9b4280d0...18.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-04-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e9b4280d0e4b94e83becc8815b86d6b_JaffaCakes118.apk

  • Size

    3.6MB

  • MD5

    9e9b4280d0e4b94e83becc8815b86d6b

  • SHA1

    65aabe741b47a842f0b49c698549de18d3be40a7

  • SHA256

    165aac61794ce24b3d51da7a23c976e7c54a37b5c8840dabd39bf6c2d7e213db

  • SHA512

    1e7c71e29aa9dcfd77779a442bd5bc9dacf3cf469d0a8d0b2b7417225a3035e0bc85d131e55d51a5e314381a2b7371e887ec5deaba75ea2e7ac03babaa5386db

  • SSDEEP

    98304:1y8FTK87K4SzY5rtjo9vRG5fw3X08B43slEW6rjj20v:o8Fm14KwaX08B59yOY

Score
10/10
alienbotbankercollectionevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://asbyow8su7h3i0mdydz1.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 3 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • supporter.safely.daily
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4285
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/supporter.safely.daily/app_DynamicOptDex/oat/x86/rlCkf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4310

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/supporter.safely.daily/app_DynamicOptDex/oat/rlCkf.json.cur.prof
    Filesize

    1KB

    MD5

    5a1eebaa9c83e255caf0c98facf61f7a

    SHA1

    306cb4ed1b8517ea924428ebce9f98bf5b97395c

    SHA256

    4e10eb46ca8972e7c7b3f4dd1fc862e981e55cee5020b67dc68272fed8f3de31

    SHA512

    cd99f90cfde95886a0d2ead257e080d584eed47e8c4f31bf1f516bfb25319ba9738e2658aa1fb9889c52a590f396ddb96de051585445ed78808dd1ca7d73492a

    Download Submit

  • /data/data/supporter.safely.daily/app_DynamicOptDex/rlCkf.json
    Filesize

    615KB

    MD5

    84e2ed415f1a04ac6c452ce2cd719a34

    SHA1

    77ace87a8be41cff713c3e04d704b23b1089020a

    SHA256

    126a7508edbee01b9273ef617c22f5864b824d172f4a7b0388581c163dbd0db9

    SHA512

    864fdc3b00f3894ec09c52e07890e2f6ed1803b08d412598c6ea8ef00b2c6e069c108b307e498f1c0af61ecd922ff428983a25daaa0c14e199cc38d1dac3f7c1

    Download Submit

  • /data/data/supporter.safely.daily/app_DynamicOptDex/rlCkf.json
    Filesize

    615KB

    MD5

    1505262030cc601edec2ea89de5ffbb7

    SHA1

    820f153f4a8fea4e0f4e7bfae080984d4e402f4b

    SHA256

    50dacbd03b81176c55b2993579a17b9e8d9089b1f4c1f416989c8807fe9158ec

    SHA512

    019fae465bbffd9f3e2dc09fd8e9d41cfa558dea5b9fc5f8db701d719142f8b6f67a5fcd698672fc916483dbc115755a6dbe9fdc0c8b10361d00ef0221e9ee44

    Download Submit

  • /data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json
    Filesize

    767KB

    MD5

    25d1352ddb32e97dfc98634440e49001

    SHA1

    66235ae2d9332c504ae671ecd0c84a05dadd7077

    SHA256

    1725c29b92cf01fb36a90acf88b380057c938265866a05b750e0a3caa1eec99f

    SHA512

    293fec9ecc63f15aac59c5186131675f73751e63cd891d5bd22f104b29d75b058d0dd507f4d1741f4c6b1b7d3a209999d409d4d09359f95fdd60e73e74bc8740

    Download Submit

  • /data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json
    Filesize

    767KB

    MD5

    7cc781e7c4b21f4203dcbe028426e3b5

    SHA1

    180fcfd16b252479abb7166cdb305d19bff494a5

    SHA256

    b953da8032b7dee0bb6e3ffb1dd5822cfe80a4a38e1aa63d251d5abeb0652ed9

    SHA512

    b96eefb5ffe3f4ee982b8fc774cd9b38bce13ca7e2046f8ab8593cfe82fc46c75ea0497ac8261ac862e3ed533c6199bdd263b9f6cc8d9d396ef5b441d3d5d70c

    Download Submit