Overview

overview

10

Static

static

6

ea32dfb83d...18.apk

android-9-x86

10

ea32dfb83d...18.apk

android-10-x64

10

ea32dfb83d...18.apk

android-11-x64

10

Resubmissions

09-04-2024 14:29

240409-rtpyhshd88 10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    09-04-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea32dfb83dff2f55084a22624077dd6e_JaffaCakes118.apk

  • Size

    3.4MB

  • MD5

    ea32dfb83dff2f55084a22624077dd6e

  • SHA1

    0b994725abc116f194007865b898e981f0b41e4d

  • SHA256

    9b288f10d587a1390b422e385e7813b24f51b34304ac0585242b865a7a1b9be6

  • SHA512

    4491c85229d063c6c63d2ccacb08505650030767237692ad06f3fc3a527296e06d8aed09c56088f38463b3ceb31d1cedb1f06eb5a823d194f2ffe16b16d1a779

  • SSDEEP

    49152:yzLDYLv2hd/i4QILkJWy2m74Hy7FBIsa9URW5cMs0UpmWQXAfhkw1eD:N2T/2jJLHvP894FMZU4WwAbsD

Score
10/10
alienbotcerberusbankercollectiondiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • pole.crumble.burden
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4284
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pole.crumble.burden/app_DynamicOptDex/YcB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pole.crumble.burden/app_DynamicOptDex/oat/x86/YcB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4310

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/pole.crumble.burden/app_DynamicOptDex/YcB.json
    Filesize

    726KB

    MD5

    f6252d5c666bdf8e9ac685a5321295c9

    SHA1

    a2a167047553df7581e36652faf4d4ad7e0eb119

    SHA256

    b3708df32aed6b4a66f729502a08283bc0a1ee49ab37801f4ad390e4af66690d

    SHA512

    c12801c94e589ee6490fe0caf605be8a9c1566987fd777686bd703ef0d2659107adc5a50782d61ff27741bd69ab859944a809620a5993458a447bb12dbf0c823

    Download Submit

  • /data/data/pole.crumble.burden/app_DynamicOptDex/YcB.json
    Filesize

    726KB

    MD5

    46302e3551aa9cd96409ca7f071ffaf8

    SHA1

    63dc0c17acba75d25cabc062b59513018164006c

    SHA256

    89a4825b881774f89b0ec7c1549228799ddd251b1058a130f0d09c8e89a54e40

    SHA512

    a1166d7f052c675a29c5ff527382761185313778ec5b33cf33db899e9297933ee4615ee1f019542fc5b9bfa4bd508c83c6189b66c519d7cb69ed43c52d1343fe

    Download Submit

  • /data/data/pole.crumble.burden/app_DynamicOptDex/oat/YcB.json.cur.prof
    Filesize

    530B

    MD5

    8ec6fbc49fc20d186e1e54873b1322cb

    SHA1

    404ab12c4ea1d7176b1fe2f85cc50438981a99eb

    SHA256

    0545b8d3836edd436559796a9453818b2b5c1815f0ee039fdf0ee45c58a64921

    SHA512

    542e4bfd27db8b3324f5d0477e3c3ce4893c0a3989eaf8006e19a030d4fb595a3b47323b2492e62abdf6be5cce20fe8a60898f08fff5d11015b9e8de1c421446

    Download Submit

  • /data/user/0/pole.crumble.burden/app_DynamicOptDex/YcB.json
    Filesize

    726KB

    MD5

    29915bb37329fb49f12ff457193a5c70

    SHA1

    28a1d617794eecb4c0b7e311e81b54c8c024b365

    SHA256

    e9eff9d71ad09f58524d2f1c3260ab9fc05fd50e06debf4c99e03e43ea426579

    SHA512

    673d2100b6082c9b99406594fa785500042dd339f7429910729c452362db4f0fb83e71624594c1a572f110bf263b8824079ac10abeede881034c1b8ca8632cf2

    Download Submit