Overview

overview

10

Static

static

6

343453ab84...a7.apk

android-9-x86

10

343453ab84...a7.apk

android-10-x64

10

343453ab84...a7.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    184s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    17-05-2024 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    343453ab84e5d94e21658fd2356f30a7.apk

  • Size

    1.6MB

  • MD5

    343453ab84e5d94e21658fd2356f30a7

  • SHA1

    695508970154b12a34e32246ab2cec05a1d112a0

  • SHA256

    2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2

  • SHA512

    6fa36f56aa8b94a66a8c31c6455b3694aa1b3d04e900459647ee4311f91b604a10918547e784d69731b3b530e247f77787ea3357b63952bdf2fac9edbf7801a5

  • SSDEEP

    49152:A46DVBmTCYUHDz/H0kCPTJK5mtWH+qGUzhOY:A8JMXGq

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://skakkiopiskattkio.info/

http://adkfjsadlkgjasdlkjaslkgjargq0rg.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 10 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4568

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json
    Filesize

    413KB

    MD5

    41401431ee0fc1d38608557120399ad6

    SHA1

    9393c24e5cf33782c65ab656bb0a71292ae61743

    SHA256

    696892a0692c04f7f9030e3cce5661f237bb47b5084960859011d866cce2d1cf

    SHA512

    67446267de0c3823ddbf6a3872102fe9aa976b64024919bef48a2e51c5e397253dba1125d9494e92a65fd05af3dba08a114746029113508a0afd2180ac1d8bf6

    Download Submit

  • /data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json
    Filesize

    413KB

    MD5

    fdb2f4efa95dd8b5ead7527c92f24542

    SHA1

    501f2094015b630627584daf8a3b0cb7035b5c49

    SHA256

    d341f67e2cd0a2dad1ff18b7b396356cd06854b09ae37a4d6376003332ff8c32

    SHA512

    d35478cb35a2dadd295bcb9b85807dcb1df982d737687d52475366a5262c7762c5e870b6dda8cfe0145073be74df0c48a96bd014d49c985e7029cae830208d2b

    Download Submit

  • /data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/oat/CiGgst.json.cur.prof
    Filesize

    232B

    MD5

    7351bf31d7bd9bcc11819fedb79cf065

    SHA1

    331fe3d091a00766c4321972947093b5e44ee9b3

    SHA256

    59968c366b61880f87830d6a76722760f5ebdb24b2c8c6ec5b22685a3bf894ea

    SHA512

    a26f9d2477a8dbc5fa7ecbf31e930a34e27592b84471962d7a75f37744772ca82167c15e0ff989c61d05909e4116e906f17a75302808fb5ddb4c0c1b47380166

    Download Submit