Analysis
-
max time kernel
145s -
max time network
150s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
07-04-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
-
Size
3.2MB
-
MD5
e5b027f80c3acb8eb4c59cc23c0942c3
-
SHA1
fb45ea1bf19cab34ec464b97802f59b9b45073ec
-
SHA256
a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42
-
SHA512
5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd
-
SSDEEP
98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR
Malware Config
Extracted
alienbot
http://34.89.151.222
Extracted
alienbot
http://34.89.151.222
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
Processes:
resource yara_rule /data/data/federal.label.business/app_DynamicOptDex/ANdqeJl.json family_cerberus -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
federal.label.businessdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId federal.label.business Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId federal.label.business -
Processes:
federal.label.businesspid process 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business 5092 federal.label.business -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
federal.label.businessioc pid process /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json 5092 federal.label.business /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json 5092 federal.label.business -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
federal.label.businessdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground federal.label.business -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
federal.label.businessdescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser federal.label.business -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
federal.label.businessdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock federal.label.business
Processes
-
federal.label.business1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Acquires the wake lock
PID:5092
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701KB
MD551683c97df89913c45ee98a4a9dc3874
SHA1993df072352c763e7d12d79ba3b1a4f8f63b5829
SHA25601bbd89c5c822c856bbabad1eeb6c4c2a7cab45512d88390a5088b0b693e3a68
SHA5122570d649886befbaa31ea32d64f5cb1fb79cb658ce61fc73680a226bc6cf2116edef5f4eea9fc81e9ff8fe8fed4ff2143cb984e7cca38f55ac6b58e58d80c38a
-
Filesize
701KB
MD50b0e52335bcc93ee0988288bac651d1c
SHA12d41d3110f778342b9f71212fe457614791acfae
SHA256578886f1bb2b34b1af170daa71c691121dad284e8b0dc211c94c51ea52bd1d1a
SHA5127c4a4b4f2f4b46a9177226d5006b66c7ac7ab7aed31c1ceb43535a93c8c4351fc28c73d5ada8bc7194ba4201bebc350c14f80293da059b02d64050f34c4d6b20
-
Filesize
415B
MD57fe905f3fc78d0e417184e6fefc3a265
SHA16233d84da3de0c01c69808723b0b07e0d24db0a0
SHA256c014e2cf66ee359a3dbda46561c080bf11077290758d708d9e421506637bda83
SHA512c116077b6e246e93c01659b00cc111fe154835a598642d8a658ce0d4d783ef548d1f9c71d4ab245c3ba33e2a1da0bf9ed841f1337cee2f26e0afed04677ec287