alienbot | 38e59c9876d09730d7e5d03204ebff9d9b6072108838354e62ab4b62e28bb839

Analysis

max time kernel
152s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
10-04-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk
Size

3.6MB
MD5

ebcc01dc4c4f5b5a1d691c5684b4b197
SHA1

81b0a11fa3344e57d37fc97f268532d8339fbbe3
SHA256

38e59c9876d09730d7e5d03204ebff9d9b6072108838354e62ab4b62e28bb839
SHA512

ec7de69877ee767062fdf4ad375324f22c00b44675c9e037ad07e01a72441f3ef7f4b52048d8c4e62bb8c331ccd52cd85ec0482b6def34944b08d61225bf93e6
SSDEEP

98304:5oC2wEsPVsbtNw5KbRQx8/msu+t+v5g6NQjaTZtC:5oC2TsP6bbbRQdsuRv5g6NQj2XC

Score

10^/10

alienbot cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://salakodenekoz.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

custom.best.orchard

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	custom.best.orchard
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	custom.best.orchard

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

Processes:

custom.best.orchard

pid	process
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard
4445	custom.best.orchard

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

custom.best.orchard

ioc	pid	process
/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json	4445	custom.best.orchard
/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json	4445	custom.best.orchard

Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

custom.best.orchard

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser custom.best.orchard
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

custom.best.orchard

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS custom.best.orchard

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	custom.best.orchard

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	custom.best.orchard

custom.best.orchard
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4445

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json

Filesize
724KB

MD5
466a33fd77d47abeeddde084b0210e30

SHA1
ed0fc88b4799f9c9b28e1581757dbbdbb22b7c69

SHA256
04fee12db243334767cf584607a509077a10a55f999a26b35137920abd1a738c

SHA512
b5b0cc3610caaa7e89fcb0548ac01d175f734f0c8ba90465261ab492f359fba9294c70cae5bf155f8f084aaa9a11c7e94a9e29102de7c752503d4b2b7b70906b

Download Submit
/data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json

Filesize
724KB

MD5
cf36de8993386b6609c965319ccaea1e

SHA1
6aeabcdb1a782831a45c5bbed3f6bf3df8d95b8f

SHA256
b8bee9641b7b59e2b2649c46e43cf3f0bb489ef57bbfe08061974f7804aa9328

SHA512
039ac96b5d02bef8d8cbaf0b79d31a4b9ff4251f659635f015e00d73e459d70736d4bde227af78eb86597eb9aca78bfa6cbce6af9d78a90b1b260b1b361615de

Download Submit
/data/user/0/custom.best.orchard/app_DynamicOptDex/oat/jEc.json.cur.prof

Filesize
329B

MD5
0743814071cd0703574d48719dc9cc9a

SHA1
453ff7b87fe74a23c7bc9c8f6a97890cc1ed321d

SHA256
90779304e500e9219f88e6e0333f07249dc4474beeb80ff211fa3c457c3f8b6e

SHA512
c8d31717f0f9b38f77f8e81ed41342082ddc16089cc6533c9533b782096aaaf40ef275708cb20c7a6f455644379ca4f7f79d41477492640c399992fd90d4096c

Download Submit