Overview

overview

10

Static

static

6

e5b027f80c...18.apk

android-9-x86

10

e5b027f80c...18.apk

android-10-x64

10

e5b027f80c...18.apk

android-11-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    07-04-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk

  • Size

    3.2MB

  • MD5

    e5b027f80c3acb8eb4c59cc23c0942c3

  • SHA1

    fb45ea1bf19cab34ec464b97802f59b9b45073ec

  • SHA256

    a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42

  • SHA512

    5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd

  • SSDEEP

    98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR

Score
10/10
alienbotcerberusbankercollectiondiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.151.222

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.151.222

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • federal.label.business
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4181
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/federal.label.business/app_DynamicOptDex/oat/x86/ANdqeJl.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4237

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/federal.label.business/app_DynamicOptDex/ANdqeJl.json
    Filesize

    701KB

    MD5

    51683c97df89913c45ee98a4a9dc3874

    SHA1

    993df072352c763e7d12d79ba3b1a4f8f63b5829

    SHA256

    01bbd89c5c822c856bbabad1eeb6c4c2a7cab45512d88390a5088b0b693e3a68

    SHA512

    2570d649886befbaa31ea32d64f5cb1fb79cb658ce61fc73680a226bc6cf2116edef5f4eea9fc81e9ff8fe8fed4ff2143cb984e7cca38f55ac6b58e58d80c38a

    Download Submit

  • /data/data/federal.label.business/app_DynamicOptDex/ANdqeJl.json
    Filesize

    701KB

    MD5

    0b0e52335bcc93ee0988288bac651d1c

    SHA1

    2d41d3110f778342b9f71212fe457614791acfae

    SHA256

    578886f1bb2b34b1af170daa71c691121dad284e8b0dc211c94c51ea52bd1d1a

    SHA512

    7c4a4b4f2f4b46a9177226d5006b66c7ac7ab7aed31c1ceb43535a93c8c4351fc28c73d5ada8bc7194ba4201bebc350c14f80293da059b02d64050f34c4d6b20

    Download Submit

  • /data/data/federal.label.business/app_DynamicOptDex/oat/ANdqeJl.json.cur.prof
    Filesize

    517B

    MD5

    fe5232541ac7d7c33f22f2b61a254a61

    SHA1

    1b1e6b656eb710517d5b8598aed3f2be2c932480

    SHA256

    b3b6d55257a96c14c55c5591a92892c85d77127aa9b95ba0ff3b82ba8d99e956

    SHA512

    32595af30e314358b601802b7645eabe71c3c3bf6bae43d5c97a7d7add6610e4e1b1298cc4d4119b227e203c29d3f389a34214157dd5a3785fb359512dd2ce51

    Download Submit

  • /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json
    Filesize

    701KB

    MD5

    7cba2a89ed5ff5a94fbbb0e80d4f0c53

    SHA1

    d0cadeae5085c7c55ccc243ee155b9a1a96a2506

    SHA256

    dd2fb4773e5d3147e9d6e874d1c2bfe3b058aa41b7de79ed58048bdea256bb6e

    SHA512

    57ae5e3e41af4965606f33a03563adf7a145953986bd7693e7e886057b8812bd0dd4b936f881ce19f1f1c5b2f96cb3ca27062f0f498e768dd00d4c8e9cc7204e

    Download Submit