Overview

overview

10

Static

static

6

e5b027f80c...18.apk

android-9-x86

10

e5b027f80c...18.apk

android-10-x64

10

e5b027f80c...18.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118

  • Size

    3.2MB

  • Sample

    240407-x7s5zscc8s

  • MD5

    e5b027f80c3acb8eb4c59cc23c0942c3

  • SHA1

    fb45ea1bf19cab34ec464b97802f59b9b45073ec

  • SHA256

    a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42

  • SHA512

    5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd

  • SSDEEP

    98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR

Score
10/10
alienbotcerberusandroidbankercollectiondiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.151.222

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.151.222

Targets

    • Target

      e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118

    • Size

      3.2MB

    • MD5

      e5b027f80c3acb8eb4c59cc23c0942c3

    • SHA1

      fb45ea1bf19cab34ec464b97802f59b9b45073ec

    • SHA256

      a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42

    • SHA512

      5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd

    • SSDEEP

      98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR

    Score
    10/10
    alienbotcerberusbankercollectiondiscoveryevasioninfostealerpersistenceratstealthtrojan

    • Alienbot

      Alienbot is a fork of Cerberus banker first seen in January 2020.

      bankertrojaninfostealeralienbot

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

      bankertrojaninfostealerevasionratcerberus

    • Cerberus payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

      evasiondiscovery

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries account information for other applications stored on the device.

      Application may abuse the framework's APIs to collect account information stored on the device.

      collection

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Acquires the wake lock

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix

Tasks