Analysis
-
max time kernel
169s -
max time network
160s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
17-05-2024 18:21
Static task
static1
Behavioral task
behavioral1
Sample
343453ab84e5d94e21658fd2356f30a7.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
343453ab84e5d94e21658fd2356f30a7.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
343453ab84e5d94e21658fd2356f30a7.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
343453ab84e5d94e21658fd2356f30a7.apk
-
Size
1.6MB
-
MD5
343453ab84e5d94e21658fd2356f30a7
-
SHA1
695508970154b12a34e32246ab2cec05a1d112a0
-
SHA256
2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2
-
SHA512
6fa36f56aa8b94a66a8c31c6455b3694aa1b3d04e900459647ee4311f91b604a10918547e784d69731b3b530e247f77787ea3357b63952bdf2fac9edbf7801a5
-
SSDEEP
49152:A46DVBmTCYUHDz/H0kCPTJK5mtWH+qGUzhOY:A8JMXGq
Malware Config
Extracted
alienbot
http://skakkiopiskattkio.info/
http://adkfjsadlkgjasdlkjaslkgjargq0rg.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral2/files/fstream-2.dat family_cerberus -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
pid Process 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw /data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json 5177 kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
Processes
-
kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5177
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD541401431ee0fc1d38608557120399ad6
SHA19393c24e5cf33782c65ab656bb0a71292ae61743
SHA256696892a0692c04f7f9030e3cce5661f237bb47b5084960859011d866cce2d1cf
SHA51267446267de0c3823ddbf6a3872102fe9aa976b64024919bef48a2e51c5e397253dba1125d9494e92a65fd05af3dba08a114746029113508a0afd2180ac1d8bf6
-
Filesize
413KB
MD5fdb2f4efa95dd8b5ead7527c92f24542
SHA1501f2094015b630627584daf8a3b0cb7035b5c49
SHA256d341f67e2cd0a2dad1ff18b7b396356cd06854b09ae37a4d6376003332ff8c32
SHA512d35478cb35a2dadd295bcb9b85807dcb1df982d737687d52475366a5262c7762c5e870b6dda8cfe0145073be74df0c48a96bd014d49c985e7029cae830208d2b
-
/data/data/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/oat/CiGgst.json.cur.prof
Filesize259B
MD5b0261424c7d0719e9cd55f1ec3b042ea
SHA13b54988cf48beb974c6682bf64110d251458055b
SHA256096f80925bf346d4a1a3d34c3998350ad0b4d6a98e9b1e28c98e23a26384e98c
SHA51227e60c99dcc6c269813ab4ce95ea8c0edb80aeef8575fcb6d4eab7124cab854b224842da1a143a5b390ac8ba89929d547fcf8484eb48e71aa901b5a3192d8147