Analysis

  • max time kernel
    13s
  • max time network
    133s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240229-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
  • submitted
    13-04-2024 22:02

General

  • Target

    331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806.apk

  • Size

    4.1MB

  • MD5

    144ecbe7fe5f52577163493160d3d9a8

  • SHA1

    4a7345612480c4d01f158cabc73d204f6d5bcc25

  • SHA256

    331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806

  • SHA512

    612db01f4724d05b1cf1fc771b6e96094ebe4aa3879f51151b94e5ea0b3d785f8e97df30a27a2bfc29364c57a385d92d79a11550cc15ddaf0c8b83274fa6d91b

  • SSDEEP

    98304:ZZL4xaxIGqxrZuK1LO6JLSJKr5n/W/A9hVqP2CXyQMbEaE1lNKCCfs:juai7xrwWTmw51g+CdM0vNlCs

Malware Config

Extracted

Family

alienbot

C2

http://wf4sctx9cksg94528o7o.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Acquires the wake lock 1 IoCs

Processes

  • au.actress.spring
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Acquires the wake lock
    PID:4247

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/au.actress.spring/app_DynamicOptDex/gLhLFq.json

    Filesize

    705KB

    MD5

    ab9ca8077281c6a12d0b4a4d60b24515

    SHA1

    08d15b078336e8f54d0d63a116182dea6ba425b3

    SHA256

    7e8596da57a57483072d27483c02e8dc4e13808e49cd742aa286aa04f6848002

    SHA512

    9b6a2b3b07ff62881f064b9b50aec8b679240ecbe41c4dcaf82e8e841b595036268aa1748da7883bf2b8b75a04394865b0062c06bc2b7b835ed7bf8eacfb3912

  • /data/user/0/au.actress.spring/app_DynamicOptDex/gLhLFq.json

    Filesize

    705KB

    MD5

    0056c5b0bab09737b6ade5706a217297

    SHA1

    f59c37b33940793f86b0876bbe1327099b676340

    SHA256

    ab75a7d1aecbfbacf76557fbd7836144cfd38fdf29c8e45e73ae458020a5aa09

    SHA512

    e0867fcb7a3217db18e699b16d656eda9316b4338c2d2cef5dc36bd0702c56aec8b2ea8222ee75072cc21c2249ae7805f6e08da25775e400111267e7592399c3

  • /data/user/0/au.actress.spring/app_DynamicOptDex/gLhLFq.json

    Filesize

    916KB

    MD5

    0492ff282c4448ff6204e0a25d662ada

    SHA1

    c7287913394537230a53e0177422427c03c080f2

    SHA256

    4c937a69cf24f1590c46cd2a2506ce4612f2a0cef7a9e8b070412085f0ee7e78

    SHA512

    23ebb4255f7d5396d3890db65e83b52628b6afe54e9bad2b81c3edea72978a5a1ab55b314b55a55770f211d0d96e1d4aebce63acb642f4c1c8d69b6c1c0dd9b7