Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    07-04-2024 19:30

General

  • Target

    e5b027f80c3acb8eb4c59cc23c0942c3_JaffaCakes118.apk

  • Size

    3.2MB

  • MD5

    e5b027f80c3acb8eb4c59cc23c0942c3

  • SHA1

    fb45ea1bf19cab34ec464b97802f59b9b45073ec

  • SHA256

    a6c11288cb0d8c5129e3cf3b3ab1cb4263b2344acc884dff9da5dbf1027d0b42

  • SHA512

    5c7b0f4cf7b7212dc7b0cd56f3a8459af5a881a375bf3ff0e1ebe58b099fa21c5b39e95cfda703493157c3c56b73504d8b7b8c242c294decdd6ef248cc7897dd

  • SSDEEP

    98304:UlrkoY6RaHiXnQz9raUy7m5qjosXjDExFDEyR:mRRnQtaUscsX/sF4yR

Malware Config

Extracted

Family

alienbot

C2

http://34.89.151.222

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.151.222

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

Processes

  • federal.label.business
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4622

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json

    Filesize

    701KB

    MD5

    51683c97df89913c45ee98a4a9dc3874

    SHA1

    993df072352c763e7d12d79ba3b1a4f8f63b5829

    SHA256

    01bbd89c5c822c856bbabad1eeb6c4c2a7cab45512d88390a5088b0b693e3a68

    SHA512

    2570d649886befbaa31ea32d64f5cb1fb79cb658ce61fc73680a226bc6cf2116edef5f4eea9fc81e9ff8fe8fed4ff2143cb984e7cca38f55ac6b58e58d80c38a

  • /data/user/0/federal.label.business/app_DynamicOptDex/ANdqeJl.json

    Filesize

    701KB

    MD5

    0b0e52335bcc93ee0988288bac651d1c

    SHA1

    2d41d3110f778342b9f71212fe457614791acfae

    SHA256

    578886f1bb2b34b1af170daa71c691121dad284e8b0dc211c94c51ea52bd1d1a

    SHA512

    7c4a4b4f2f4b46a9177226d5006b66c7ac7ab7aed31c1ceb43535a93c8c4351fc28c73d5ada8bc7194ba4201bebc350c14f80293da059b02d64050f34c4d6b20

  • /data/user/0/federal.label.business/app_DynamicOptDex/oat/ANdqeJl.json.cur.prof

    Filesize

    361B

    MD5

    423541f0296064d366f8ce556c3fa8c3

    SHA1

    a85270f8890e06a43f60371d67fa636ff4deedf7

    SHA256

    6d69507f6c230405b048c807304f33cf0d7839d236a7dcba9a97059958223894

    SHA512

    287092527467bd4cd02d3cbb547bd1c06a37f500ffbedfd19c19f010c319e05ad02e2a7276baaab79afa2258a98bbf419fd10f9f4bb2b6c6a2454b0f369a4d22