Analysis
-
max time kernel
175s -
max time network
183s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
-
submitted
24-05-2024 23:06
General
-
Target
7017aa9e98dde58decb20cf282f41966_JaffaCakes118.apk
-
Size
1.6MB
-
MD5
7017aa9e98dde58decb20cf282f41966
-
SHA1
f7886adbeeee400405190bc8f1138f0251da6772
-
SHA256
d3aa03c40cee78be1d0c6d3276f25d6ace02a8002b52b4a150cab2b8678642e7
-
SHA512
dcca64f26967aee98ac362d95f66ca2c428f0c48cb2e6b038d4d255375b8bc31f1ee8801355d1adf6f49dd05bf870d8106badae3378c81b2572f7809eda2646b
-
SSDEEP
49152:JybHTQZnRJbO2t2YBjcLiDdE4C1W6r/ArsFMjL9:EbH2RZOjViDdE91WO/cuMv9
Malware Config
Extracted
alienbot
http://binsletr.net/
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
-
Removes its main activity from the application launcher 1 TTPs 10 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
xytdg.jskjrldzqhcyz.snozwrglkzgz1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xytdg.jskjrldzqhcyz.snozwrglkzgz/app_DynamicOptDex/ZBQdKM.jsonFilesize
704KB
MD59551a1c75fba71bfadc181141a5c8600
SHA1121a931b4faf36dbf39be2fee9ef1155c0d0393a
SHA256581c29cbb0ad738578bcd537c9c1f81bdad24c68e6053e70108df753efa12afa
SHA51270a84e7c908e7fcd1114b6961c7ba6a52045dbb8e290cec9d7b63d788ca3e481f3c91f16dffde95600a96eeb8625d4ff7b5f7040013acee7dcf6aaf82443a6bf
-
/data/user/0/xytdg.jskjrldzqhcyz.snozwrglkzgz/app_DynamicOptDex/ZBQdKM.jsonFilesize
704KB
MD54054b191907ae1057c5cd3c0fd5685fe
SHA1814872e52d98b24f34dbf1761e3ba11ca65e1383
SHA256e12823ef26ffba5e1e04f08648ff9cd099215d6bceacbd824d7c42a4e3a6d063
SHA51270b2de00d4bb0455d273cc64ac643b9222cc0be30437ecea1f046155cdfc119e37d7070ed270f571c872f032d5f681d3235c56f347de24984da9835be43137d6
-
/data/user/0/xytdg.jskjrldzqhcyz.snozwrglkzgz/app_DynamicOptDex/oat/ZBQdKM.json.cur.profFilesize
374B
MD5dbeee632024b8bd68c6efb5ab0881d4b
SHA12e2da847617ea5fa12fc01e0b0171eb37bf4aa63
SHA256c49091fdf28ace39bfddde2666ab76db8b15e05bffeea68b87d1a11224013423
SHA512b78562ac389158750775aaa3658fbc1080a63e4dd52145e6dc6c7ba2cc04c97936683d5b734d5e6381cb651f7746e5be0e75a22011caa62b892cf4d403da93af