alienbot | 165aac61794ce24b3d51da7a23c976e7c54a37b5c8840dabd39bf6c2d7e213db

Analysis

max time kernel
149s
max time network
133s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
03-04-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e9b4280d0e4b94e83becc8815b86d6b_JaffaCakes118.apk
Size

3.6MB
MD5

9e9b4280d0e4b94e83becc8815b86d6b
SHA1

65aabe741b47a842f0b49c698549de18d3be40a7
SHA256

165aac61794ce24b3d51da7a23c976e7c54a37b5c8840dabd39bf6c2d7e213db
SHA512

1e7c71e29aa9dcfd77779a442bd5bc9dacf3cf469d0a8d0b2b7417225a3035e0bc85d131e55d51a5e314381a2b7371e887ec5deaba75ea2e7ac03babaa5386db
SSDEEP

98304:1y8FTK87K4SzY5rtjo9vRG5fw3X08B43slEW6rjj20v:o8Fm14KwaX08B59yOY

Score

10^/10

alienbot banker collection evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

alienbot

http://asbyow8su7h3i0mdydz1.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	supporter.safely.daily
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	supporter.safely.daily
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	supporter.safely.daily

Removes its main activity from the application launcher 1 TTPs 3 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4472	supporter.safely.daily
4472	supporter.safely.daily
4472	supporter.safely.daily

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json	4472	supporter.safely.daily

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	supporter.safely.daily

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	supporter.safely.daily

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	supporter.safely.daily

supporter.safely.daily
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4472

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/supporter.safely.daily/app_DynamicOptDex/oat/rlCkf.json.cur.prof

Filesize
246B

MD5
f69330d998acc2ec0c352b10e671473e

SHA1
8d140c65055d5e38fc8ab05f1b5ed96b8d600d3f

SHA256
31be9c88494cb3c33cebffea78eb2805dbbcb75c8d4c6e595fbe4253fe1f6825

SHA512
7a3c1bd64b9e57de37806aa7fd4ca5e4f1479b934123947a9803904cd2b6a20774bb3be8e8b886176adf79a8634308404a9d3f6526abd8e387123d5e871171a4

Download Submit
/data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json

Filesize
615KB

MD5
84e2ed415f1a04ac6c452ce2cd719a34

SHA1
77ace87a8be41cff713c3e04d704b23b1089020a

SHA256
126a7508edbee01b9273ef617c22f5864b824d172f4a7b0388581c163dbd0db9

SHA512
864fdc3b00f3894ec09c52e07890e2f6ed1803b08d412598c6ea8ef00b2c6e069c108b307e498f1c0af61ecd922ff428983a25daaa0c14e199cc38d1dac3f7c1

Download Submit
/data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json

Filesize
615KB

MD5
1505262030cc601edec2ea89de5ffbb7

SHA1
820f153f4a8fea4e0f4e7bfae080984d4e402f4b

SHA256
50dacbd03b81176c55b2993579a17b9e8d9089b1f4c1f416989c8807fe9158ec

SHA512
019fae465bbffd9f3e2dc09fd8e9d41cfa558dea5b9fc5f8db701d719142f8b6f67a5fcd698672fc916483dbc115755a6dbe9fdc0c8b10361d00ef0221e9ee44

Download Submit
/data/user/0/supporter.safely.daily/app_DynamicOptDex/rlCkf.json

Filesize
767KB

MD5
7cc781e7c4b21f4203dcbe028426e3b5

SHA1
180fcfd16b252479abb7166cdb305d19bff494a5

SHA256
b953da8032b7dee0bb6e3ffb1dd5822cfe80a4a38e1aa63d251d5abeb0652ed9

SHA512
b96eefb5ffe3f4ee982b8fc774cd9b38bce13ca7e2046f8ab8593cfe82fc46c75ea0497ac8261ac862e3ed533c6199bdd263b9f6cc8d9d396ef5b441d3d5d70c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads