Overview

overview

10

Static

static

6

292c9e26ff...18.apk

android-9-x86

10

292c9e26ff...18.apk

android-10-x64

10

292c9e26ff...18.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-20240506-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240506-enlocale:en-usos:android-10-x64system
  • submitted
    09-05-2024 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    292c9e26ffe79e019bb67c1a4cf53d77_JaffaCakes118.apk

  • Size

    1.5MB

  • MD5

    292c9e26ffe79e019bb67c1a4cf53d77

  • SHA1

    65c4ce134b9221c59a923f3c5f06cad528edb0fd

  • SHA256

    7c834908030f6884afde99b50812f20ccd5253ae1df1d9370a2d0a201014af0b

  • SHA512

    4d863adc866d9f07c51310f3f651ac3d0bf144708addf9aa04f5aa005901eb9a5553c20aa21e12de17f6b250d15933f3897e5b59cc402b153d0095fec82bb898

  • SSDEEP

    49152:s19qhTFjJ0xVdY4s8ssR4aL/7AJNbNWjGOWn:A9qhT9JwdYl8svaL/7ADTln

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://odry.london

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 3 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5160

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/IQm.json
    Filesize

    658KB

    MD5

    4f0ed2c40656977fa8cea45e0f351e09

    SHA1

    99dae1e4ceb6928d041695a11af394cdf5d0b1d7

    SHA256

    c5be51f04478f51cc1f997e3bb389b3faae35738890e199bccfb198df435cf81

    SHA512

    5898c5d1dc66015af97972d9a8f1801fb41e712ecfcad7007a03c82ee3e9a182d169490941ede5ee1b32405b35b028d3a6dd689b08e413f9f7ee60de871c98d1

    Download Submit

  • /data/data/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/IQm.json
    Filesize

    658KB

    MD5

    94ce26115df1664aa1adf1a05682deba

    SHA1

    bf4b0171c70ca56559bb219312bf53023cf1ad18

    SHA256

    0c03c7d4b144b7b2b95f0d5335ef4fcd5a9b8b74bb0a65f747392f9117f6afe9

    SHA512

    eefac54b5aeb6a4b629f9a925101be9a3192834a1248b3f129c6a04a9227740d0a3c4ebd98c610ddfa304ecedc4a086134d35142e80676a5b1775e2a357634b9

    Download Submit

  • /data/data/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/oat/IQm.json.cur.prof
    Filesize

    384B

    MD5

    ed00e6fe439d0008c8b5c2545614a244

    SHA1

    dd0ddb52c7d650b8d2d9dc9d0d8a520ef656138b

    SHA256

    40230821754b742ae782bfcc90485079f01ae9fe964e4a09a7bf58381a4e1fc4

    SHA512

    fe683799be4ab1ed069c70a43b8f583d00f033adb93fe5979cf5047194a385cf6d9e00a27e99a6c4f010ede4e77ca1d2efe87d38de5a6171ced27cff2b3dcfb9

    Download Submit