Analysis
-
max time kernel
177s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
17-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
45f5fa9427331e6a9d6ed2d8cdbaada5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
45f5fa9427331e6a9d6ed2d8cdbaada5.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
45f5fa9427331e6a9d6ed2d8cdbaada5.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
45f5fa9427331e6a9d6ed2d8cdbaada5.apk
-
Size
1.8MB
-
MD5
45f5fa9427331e6a9d6ed2d8cdbaada5
-
SHA1
d68855d2191094dc2ee86377de2c9eec444abfa1
-
SHA256
d89e08db5af347be72f1307186638aaa062a8de45a808f57dce85bc83c94059e
-
SHA512
c64934792301b6a7d5c3b8f5f4606b7e6c402b275ffd23ca1cab6a9f24630f5e282bbdd11f422d304ae86be030fa3303a5222a1380d13ccd1d80d4c0bcd05912
-
SSDEEP
24576:8id2jZXHgFK7TZPMjJya1V9DYImZSKgrKEofCScnuVR/s4It0XtV/BwZLUph:8idQNAaT4V9DhxbbnuatGVwUph
Malware Config
Extracted
alienbot
http://goldegrillz.top
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/files/fstream-2.dat family_cerberus -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
pid Process 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/gsmPAq.json 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld /data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/gsmPAq.json 4606 jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld
Processes
-
jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4606
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD5bd99865e8fb07cbaa846c2537c7bcc70
SHA1a0a2da96e6c0662d5b62b2737fc72d894a969446
SHA25698d9ba93fc1eb7a6e0c91daf5f7be82df7606d99c33d120755f2a800fca686c0
SHA5123328304f7ddce1ead4ab3c371a99a453b602ffa4b4f8e4d4d26c2b0411a2ba8f5d03455124df198afc7b10e00d1623d0d1ade76004bebf16fdb9718709caa923
-
Filesize
588KB
MD5a8d288e2e22922208d29f087f2e2858e
SHA1f5bbf2070bec032f7d0fed47fbfb970da8731506
SHA256a401a49a5716bf0aedee4a66a3bf159184bd5ce324f08ec76ae1bbd02e2bdf6e
SHA512e233f785acf68a30d642df74dc5ad06d743e41369d4d2c5e27bc1388659186fa9e4d88531c977c9350f41b43aea557c8d47032e69a7d8e3e6e0c15a95d2c61c4
-
/data/user/0/jqnqflkhnljnob.koikkyrhqcmk.xqqzefaodtxghxkbahtnbld/app_DynamicOptDex/oat/gsmPAq.json.cur.prof
Filesize340B
MD5a13685018b7506403e5b41c032c7635a
SHA13a1e5b2f7567d7e1c3f0cf8196e9265143a1abcd
SHA256c9ae0dacc31c9d8f02b07e81b85c92034549101b1720600a4073dd7878b12964
SHA512037e4ef4caaf64e44f1cc6b73f061e412ece39f1ab606af0022831844b0a7d3d92ef1bda292d7360a0aed2c88736c27c8cc11a47cc0ff8771003a26df3a9379d