Analysis

  • max time kernel
    177s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    17-05-2024 18:22

General

  • Target

    45f5fa9427331e6a9d6ed2d8cdbaada5.apk

  • Size

    1.8MB

  • MD5

    45f5fa9427331e6a9d6ed2d8cdbaada5

  • SHA1

    d68855d2191094dc2ee86377de2c9eec444abfa1

  • SHA256

    d89e08db5af347be72f1307186638aaa062a8de45a808f57dce85bc83c94059e

  • SHA512

    c64934792301b6a7d5c3b8f5f4606b7e6c402b275ffd23ca1cab6a9f24630f5e282bbdd11f422d304ae86be030fa3303a5222a1380d13ccd1d80d4c0bcd05912

  • SSDEEP

    24576:8id2jZXHgFK7TZPMjJya1V9DYImZSKgrKEofCScnuVR/s4It0XtV/BwZLUph:8idQNAaT4V9DhxbbnuatGVwUph

Malware Config

Extracted

Family

alienbot

C2

http://goldegrillz.top

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Removes its main activity from the application launcher 1 TTPs 10 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4606

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/gsmPAq.json

    Filesize

    588KB

    MD5

    bd99865e8fb07cbaa846c2537c7bcc70

    SHA1

    a0a2da96e6c0662d5b62b2737fc72d894a969446

    SHA256

    98d9ba93fc1eb7a6e0c91daf5f7be82df7606d99c33d120755f2a800fca686c0

    SHA512

    3328304f7ddce1ead4ab3c371a99a453b602ffa4b4f8e4d4d26c2b0411a2ba8f5d03455124df198afc7b10e00d1623d0d1ade76004bebf16fdb9718709caa923

  • /data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/gsmPAq.json

    Filesize

    588KB

    MD5

    a8d288e2e22922208d29f087f2e2858e

    SHA1

    f5bbf2070bec032f7d0fed47fbfb970da8731506

    SHA256

    a401a49a5716bf0aedee4a66a3bf159184bd5ce324f08ec76ae1bbd02e2bdf6e

    SHA512

    e233f785acf68a30d642df74dc5ad06d743e41369d4d2c5e27bc1388659186fa9e4d88531c977c9350f41b43aea557c8d47032e69a7d8e3e6e0c15a95d2c61c4

  • /data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/oat/gsmPAq.json.cur.prof

    Filesize

    340B

    MD5

    a13685018b7506403e5b41c032c7635a

    SHA1

    3a1e5b2f7567d7e1c3f0cf8196e9265143a1abcd

    SHA256

    c9ae0dacc31c9d8f02b07e81b85c92034549101b1720600a4073dd7878b12964

    SHA512

    037e4ef4caaf64e44f1cc6b73f061e412ece39f1ab606af0022831844b0a7d3d92ef1bda292d7360a0aed2c88736c27c8cc11a47cc0ff8771003a26df3a9379d