Overview

overview

10

Static

static

6

292c9e26ff...18.apk

android-9-x86

10

292c9e26ff...18.apk

android-10-x64

10

292c9e26ff...18.apk

android-11-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    146s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240506-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240506-enlocale:en-usos:android-11-x64system
  • submitted
    09-05-2024 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    292c9e26ffe79e019bb67c1a4cf53d77_JaffaCakes118.apk

  • Size

    1.5MB

  • MD5

    292c9e26ffe79e019bb67c1a4cf53d77

  • SHA1

    65c4ce134b9221c59a923f3c5f06cad528edb0fd

  • SHA256

    7c834908030f6884afde99b50812f20ccd5253ae1df1d9370a2d0a201014af0b

  • SHA512

    4d863adc866d9f07c51310f3f651ac3d0bf144708addf9aa04f5aa005901eb9a5553c20aa21e12de17f6b250d15933f3897e5b59cc402b153d0095fec82bb898

  • SSDEEP

    49152:s19qhTFjJ0xVdY4s8ssR4aL/7AJNbNWjGOWn:A9qhT9JwdYl8svaL/7ADTln

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://odry.london

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 3 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4876

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/IQm.json
    Filesize

    658KB

    MD5

    4f0ed2c40656977fa8cea45e0f351e09

    SHA1

    99dae1e4ceb6928d041695a11af394cdf5d0b1d7

    SHA256

    c5be51f04478f51cc1f997e3bb389b3faae35738890e199bccfb198df435cf81

    SHA512

    5898c5d1dc66015af97972d9a8f1801fb41e712ecfcad7007a03c82ee3e9a182d169490941ede5ee1b32405b35b028d3a6dd689b08e413f9f7ee60de871c98d1

    Download Submit

  • /data/user/0/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/IQm.json
    Filesize

    658KB

    MD5

    94ce26115df1664aa1adf1a05682deba

    SHA1

    bf4b0171c70ca56559bb219312bf53023cf1ad18

    SHA256

    0c03c7d4b144b7b2b95f0d5335ef4fcd5a9b8b74bb0a65f747392f9117f6afe9

    SHA512

    eefac54b5aeb6a4b629f9a925101be9a3192834a1248b3f129c6a04a9227740d0a3c4ebd98c610ddfa304ecedc4a086134d35142e80676a5b1775e2a357634b9

    Download Submit

  • /data/user/0/fethqzabypgsytcqkccz.jqinmjugfzjojibhbwmz.tsxjdhotcktyfgqoiapzgjwugp/app_DynamicOptDex/oat/IQm.json.cur.prof
    Filesize

    309B

    MD5

    ae647ee622b825dcaa0d25a8f7101ca9

    SHA1

    0d3598536a797a1aff75b7c6bbb6845a8ea282a2

    SHA256

    c934557eb4210ffb5b7f36fe5dc3777df954ebcd4a9d7d2b82e8fc5b8dd69a79

    SHA512

    a008bede856b317d10bc2f3a6d544d82e3be34071c730522c4068a1f5094123a148b1532f2173ed60ebc74ba1c649990be13ec160a11cad5f59c12f4e813acd1

    Download Submit