Analysis

  • max time kernel
    169s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    17-05-2024 18:21

General

  • Target

    343453ab84e5d94e21658fd2356f30a7.apk

  • Size

    1.6MB

  • MD5

    343453ab84e5d94e21658fd2356f30a7

  • SHA1

    695508970154b12a34e32246ab2cec05a1d112a0

  • SHA256

    2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2

  • SHA512

    6fa36f56aa8b94a66a8c31c6455b3694aa1b3d04e900459647ee4311f91b604a10918547e784d69731b3b530e247f77787ea3357b63952bdf2fac9edbf7801a5

  • SSDEEP

    49152:A46DVBmTCYUHDz/H0kCPTJK5mtWH+qGUzhOY:A8JMXGq

Malware Config

Extracted

Family

alienbot

C2

http://skakkiopiskattkio.info/

http://adkfjsadlkgjasdlkjaslkgjargq0rg.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Removes its main activity from the application launcher 1 TTPs 5 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5177

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

    Filesize

    413KB

    MD5

    41401431ee0fc1d38608557120399ad6

    SHA1

    9393c24e5cf33782c65ab656bb0a71292ae61743

    SHA256

    696892a0692c04f7f9030e3cce5661f237bb47b5084960859011d866cce2d1cf

    SHA512

    67446267de0c3823ddbf6a3872102fe9aa976b64024919bef48a2e51c5e397253dba1125d9494e92a65fd05af3dba08a114746029113508a0afd2180ac1d8bf6

  • /data/data/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

    Filesize

    413KB

    MD5

    fdb2f4efa95dd8b5ead7527c92f24542

    SHA1

    501f2094015b630627584daf8a3b0cb7035b5c49

    SHA256

    d341f67e2cd0a2dad1ff18b7b396356cd06854b09ae37a4d6376003332ff8c32

    SHA512

    d35478cb35a2dadd295bcb9b85807dcb1df982d737687d52475366a5262c7762c5e870b6dda8cfe0145073be74df0c48a96bd014d49c985e7029cae830208d2b

  • /data/data/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/oat/CiGgst.json.cur.prof

    Filesize

    259B

    MD5

    b0261424c7d0719e9cd55f1ec3b042ea

    SHA1

    3b54988cf48beb974c6682bf64110d251458055b

    SHA256

    096f80925bf346d4a1a3d34c3998350ad0b4d6a98e9b1e28c98e23a26384e98c

    SHA512

    27e60c99dcc6c269813ab4ce95ea8c0edb80aeef8575fcb6d4eab7124cab854b224842da1a143a5b390ac8ba89929d547fcf8484eb48e71aa901b5a3192d8147