Analysis
-
max time kernel
152s -
max time network
141s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
10-04-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
ebcc01dc4c4f5b5a1d691c5684b4b197_JaffaCakes118.apk
-
Size
3.6MB
-
MD5
ebcc01dc4c4f5b5a1d691c5684b4b197
-
SHA1
81b0a11fa3344e57d37fc97f268532d8339fbbe3
-
SHA256
38e59c9876d09730d7e5d03204ebff9d9b6072108838354e62ab4b62e28bb839
-
SHA512
ec7de69877ee767062fdf4ad375324f22c00b44675c9e037ad07e01a72441f3ef7f4b52048d8c4e62bb8c331ccd52cd85ec0482b6def34944b08d61225bf93e6
-
SSDEEP
98304:5oC2wEsPVsbtNw5KbRQx8/msu+t+v5g6NQjaTZtC:5oC2TsP6bbbRQdsuRv5g6NQj2XC
Malware Config
Extracted
alienbot
http://salakodenekoz.net
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/files/fstream-2.dat family_cerberus -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId custom.best.orchard Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId custom.best.orchard -
pid Process 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard 4445 custom.best.orchard -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json 4445 custom.best.orchard /data/user/0/custom.best.orchard/app_DynamicOptDex/jEc.json 4445 custom.best.orchard -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser custom.best.orchard -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS custom.best.orchard
Processes
-
custom.best.orchard1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4445
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD5466a33fd77d47abeeddde084b0210e30
SHA1ed0fc88b4799f9c9b28e1581757dbbdbb22b7c69
SHA25604fee12db243334767cf584607a509077a10a55f999a26b35137920abd1a738c
SHA512b5b0cc3610caaa7e89fcb0548ac01d175f734f0c8ba90465261ab492f359fba9294c70cae5bf155f8f084aaa9a11c7e94a9e29102de7c752503d4b2b7b70906b
-
Filesize
724KB
MD5cf36de8993386b6609c965319ccaea1e
SHA16aeabcdb1a782831a45c5bbed3f6bf3df8d95b8f
SHA256b8bee9641b7b59e2b2649c46e43cf3f0bb489ef57bbfe08061974f7804aa9328
SHA512039ac96b5d02bef8d8cbaf0b79d31a4b9ff4251f659635f015e00d73e459d70736d4bde227af78eb86597eb9aca78bfa6cbce6af9d78a90b1b260b1b361615de
-
Filesize
329B
MD50743814071cd0703574d48719dc9cc9a
SHA1453ff7b87fe74a23c7bc9c8f6a97890cc1ed321d
SHA25690779304e500e9219f88e6e0333f07249dc4474beeb80ff211fa3c457c3f8b6e
SHA512c8d31717f0f9b38f77f8e81ed41342082ddc16089cc6533c9533b782096aaaf40ef275708cb20c7a6f455644379ca4f7f79d41477492640c399992fd90d4096c