Analysis
-
max time kernel
147s -
max time network
139s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
-
submitted
13-04-2024 22:02
General
-
Target
331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806.apk
-
Size
4.1MB
-
MD5
144ecbe7fe5f52577163493160d3d9a8
-
SHA1
4a7345612480c4d01f158cabc73d204f6d5bcc25
-
SHA256
331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806
-
SHA512
612db01f4724d05b1cf1fc771b6e96094ebe4aa3879f51151b94e5ea0b3d785f8e97df30a27a2bfc29364c57a385d92d79a11550cc15ddaf0c8b83274fa6d91b
-
SSDEEP
98304:ZZL4xaxIGqxrZuK1LO6JLSJKr5n/W/A9hVqP2CXyQMbEaE1lNKCCfs:juai7xrwWTmw51g+CdM0vNlCs
Malware Config
Extracted
alienbot
http://wf4sctx9cksg94528o7o.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Removes its main activity from the application launcher 1 TTPs 7 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Acquires the wake lock 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes
-
au.actress.spring1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/au.actress.spring/app_DynamicOptDex/gLhLFq.jsonFilesize
705KB
MD5ab9ca8077281c6a12d0b4a4d60b24515
SHA108d15b078336e8f54d0d63a116182dea6ba425b3
SHA2567e8596da57a57483072d27483c02e8dc4e13808e49cd742aa286aa04f6848002
SHA5129b6a2b3b07ff62881f064b9b50aec8b679240ecbe41c4dcaf82e8e841b595036268aa1748da7883bf2b8b75a04394865b0062c06bc2b7b835ed7bf8eacfb3912
-
/data/data/au.actress.spring/app_DynamicOptDex/gLhLFq.jsonFilesize
705KB
MD50056c5b0bab09737b6ade5706a217297
SHA1f59c37b33940793f86b0876bbe1327099b676340
SHA256ab75a7d1aecbfbacf76557fbd7836144cfd38fdf29c8e45e73ae458020a5aa09
SHA512e0867fcb7a3217db18e699b16d656eda9316b4338c2d2cef5dc36bd0702c56aec8b2ea8222ee75072cc21c2249ae7805f6e08da25775e400111267e7592399c3
-
/data/data/au.actress.spring/app_DynamicOptDex/oat/gLhLFq.json.cur.profFilesize
424B
MD5b20127613a739b20232456ad88aacb6a
SHA152a7a8e10e7d4cec2f60dd326429d03f9562367e
SHA2568d429e032391ea2eacb10dd0a9ed36a523fecfb01876ef0af4ef48c819261f08
SHA512de3bad026d4bf816b3914b6207b01e40c4db952ed1a7ec702bfe405a0e5dac72c6377576360ef8a7cd620790731b6db5bf23c8bc56c6b5a48c7b60f755bf231a
-
/data/user/0/au.actress.spring/app_DynamicOptDex/gLhLFq.jsonFilesize
916KB
MD50492ff282c4448ff6204e0a25d662ada
SHA1c7287913394537230a53e0177422427c03c080f2
SHA2564c937a69cf24f1590c46cd2a2506ce4612f2a0cef7a9e8b070412085f0ee7e78
SHA51223ebb4255f7d5396d3890db65e83b52628b6afe54e9bad2b81c3edea72978a5a1ab55b314b55a55770f211d0d96e1d4aebce63acb642f4c1c8d69b6c1c0dd9b7