alienbot

General

Target

ea911124defd4bf8d63aba29b0a04ed9_JaffaCakes118
Size

4.3MB
Sample

240410-jfml8sga85
MD5

ea911124defd4bf8d63aba29b0a04ed9
SHA1

de6bdb3f1153e95fbf3b4aff904616ff8340e681
SHA256

dad6cdcd782dc3daf5cf1dbdd82c58336af18b33a87be3f19b0833e547fe90a5
SHA512

1458992047473bdb3aed2e1db675495a2924e70d8ff087e487d140ffaa46c0bec78c0d30f96a24eba4aa09bfce81230e531af817e2ff5332bfe8b60e365a7cd0
SSDEEP

98304:qdK5aHKd+5ZEy/U8cZID5oLO50zISGdo/vIlZPB2S/kP8:2qdry88cm1ELmkvIlZPB258

Score

10^/10

Malware Config

Extracted

Family

alienbot

C2

http://2tn54bh60mp4mlpqo4k2.xyz

Targets

- Target
  
  ea911124defd4bf8d63aba29b0a04ed9_JaffaCakes118
- Size
  
  4.3MB
- MD5
  
  ea911124defd4bf8d63aba29b0a04ed9
- SHA1
  
  de6bdb3f1153e95fbf3b4aff904616ff8340e681
- SHA256
  
  dad6cdcd782dc3daf5cf1dbdd82c58336af18b33a87be3f19b0833e547fe90a5
- SHA512
  
  1458992047473bdb3aed2e1db675495a2924e70d8ff087e487d140ffaa46c0bec78c0d30f96a24eba4aa09bfce81230e531af817e2ff5332bfe8b60e365a7cd0
- SSDEEP
  
  98304:qdK5aHKd+5ZEy/U8cZID5oLO50zISGdo/vIlZPB2S/kP8:2qdry88cm1ELmkvIlZPB258
Score

10^/10

alienbot banker collection discovery evasion infostealer persistence stealth trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks CPU information
  Checks CPU information which indicate if the system is an emulator.
  evasion discovery
- Checks memory information
  Checks memory information which indicate if the system is an emulator.
  evasion discovery
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries account information for other applications stored on the device.
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Checks CPU information

Checks memory information

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries account information for other applications stored on the device.

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2