Overview

overview

10

Static

static

6

ebcc01dc4c...18.apk

android-9-x86

10

ebcc01dc4c...18.apk

android-10-x64

10

ebcc01dc4c...18.apk

android-11-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    141s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    10-04-2024 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk

  • Size

    3.6MB

  • MD5

    ebcc01dc4c4f5b5a1d691c5684b4b197

  • SHA1

    81b0a11fa3344e57d37fc97f268532d8339fbbe3

  • SHA256

    38e59c9876d09730d7e5d03204ebff9d9b6072108838354e62ab4b62e28bb839

  • SHA512

    ec7de69877ee767062fdf4ad375324f22c00b44675c9e037ad07e01a72441f3ef7f4b52048d8c4e62bb8c331ccd52cd85ec0482b6def34944b08d61225bf93e6

  • SSDEEP

    98304:5oC2wEsPVsbtNw5KbRQx8/msu+t+v5g6NQjaTZtC:5oC2TsP6bbbRQdsuRv5g6NQj2XC

Score
10/10
alienbotcerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://salakodenekoz.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • custom.best.orchard
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4209
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/custom.best.orchard/app_DynamicOptDex/oat/x86/jEc.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4266

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/custom.best.orchard/app_DynamicOptDex/jEc.json
    Filesize

    724KB

    MD5

    466a33fd77d47abeeddde084b0210e30

    SHA1

    ed0fc88b4799f9c9b28e1581757dbbdbb22b7c69

    SHA256

    04fee12db243334767cf584607a509077a10a55f999a26b35137920abd1a738c

    SHA512

    b5b0cc3610caaa7e89fcb0548ac01d175f734f0c8ba90465261ab492f359fba9294c70cae5bf155f8f084aaa9a11c7e94a9e29102de7c752503d4b2b7b70906b

    Download Submit

  • /data/data/custom.best.orchard/app_DynamicOptDex/jEc.json
    Filesize

    724KB

    MD5

    cf36de8993386b6609c965319ccaea1e

    SHA1

    6aeabcdb1a782831a45c5bbed3f6bf3df8d95b8f

    SHA256

    b8bee9641b7b59e2b2649c46e43cf3f0bb489ef57bbfe08061974f7804aa9328

    SHA512

    039ac96b5d02bef8d8cbaf0b79d31a4b9ff4251f659635f015e00d73e459d70736d4bde227af78eb86597eb9aca78bfa6cbce6af9d78a90b1b260b1b361615de

    Download Submit

  • /data/data/custom.best.orchard/app_DynamicOptDex/oat/jEc.json.cur.prof
    Filesize

    469B

    MD5

    6453c5e47a08fae0a4cfd9090c80688a

    SHA1

    e131cee07da08891fcfabf80f972abdacdf8c015

    SHA256

    038ee442b6c042c6b2c09bb70a8f13ead0f1b78428ab7f6f1e0b84157a872da7

    SHA512

    60087042074707d1e6aac1eae272330164c09c7f59fdd49ec72013c6f7466d0fb3c42f5f468f919fccd7403d3a91be8920d81d33132772102568784fd68caba4

    Download Submit

  • /data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json
    Filesize

    724KB

    MD5

    acda1d699dd355970105d166073833c7

    SHA1

    30a027de9a9ce21cef53e6f24ce9e9ba80d21db7

    SHA256

    f9663e9ff78433ce10af772b888b933f12ce23f94b80d41482b77053c1ec6233

    SHA512

    5d10029801e9322c39eb87c040c86caed01a005d2ea36eb2e809acca2a0ecb7eb2afc3bac86145d3a94888c8bfc2756545ab873240b4d65d29d7eb3c2b7d7b5a

    Download Submit