Analysis
-
max time kernel
151s -
max time network
160s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
07-04-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk
-
Size
3.2MB
-
MD5
e5b027f80c3acb8eb4c59cc23c0942c3
-
SHA1
fb45ea1bf19cab34ec464b97802f59b9b45073ec
-
SHA256
a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42
-
SHA512
5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd
-
SSDEEP
98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR
Malware Config
Extracted
alienbot
http://34.89.151.222
Extracted
alienbot
http://34.89.151.222
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/files/fstream-2.dat family_cerberus -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId federal.label.business Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId federal.label.business -
pid Process 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business 4622 federal.label.business -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json 4622 federal.label.business /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json 4622 federal.label.business -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground federal.label.business -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser federal.label.business -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock federal.label.business -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS federal.label.business
Processes
-
federal.label.business1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4622
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
701KB
MD551683c97df89913c45ee98a4a9dc3874
SHA1993df072352c763e7d12d79ba3b1a4f8f63b5829
SHA25601bbd89c5c822c856bbabad1eeb6c4c2a7cab45512d88390a5088b0b693e3a68
SHA5122570d649886befbaa31ea32d64f5cb1fb79cb658ce61fc73680a226bc6cf2116edef5f4eea9fc81e9ff8fe8fed4ff2143cb984e7cca38f55ac6b58e58d80c38a
-
Filesize
701KB
MD50b0e52335bcc93ee0988288bac651d1c
SHA12d41d3110f778342b9f71212fe457614791acfae
SHA256578886f1bb2b34b1af170daa71c691121dad284e8b0dc211c94c51ea52bd1d1a
SHA5127c4a4b4f2f4b46a9177226d5006b66c7ac7ab7aed31c1ceb43535a93c8c4351fc28c73d5ada8bc7194ba4201bebc350c14f80293da059b02d64050f34c4d6b20
-
Filesize
361B
MD5423541f0296064d366f8ce556c3fa8c3
SHA1a85270f8890e06a43f60371d67fa636ff4deedf7
SHA2566d69507f6c230405b048c807304f33cf0d7839d236a7dcba9a97059958223894
SHA512287092527467bd4cd02d3cbb547bd1c06a37f500ffbedfd19c19f010c319e05ad02e2a7276baaab79afa2258a98bbf419fd10f9f4bb2b6c6a2454b0f369a4d22