Analysis

  • max time kernel
    177s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    31-05-2024 13:41

General

  • Target

    87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk

  • Size

    2.0MB

  • MD5

    87321bfd3a2b14b47ca08886b1eb20ac

  • SHA1

    e32375397d42ff740afc39530c4254f461e27c29

  • SHA256

    16b3b4b41cdb2f415c09a7c7a486f8a3542abaa6cd17a41c80ed1b1bc7a81884

  • SHA512

    2f4816bac87108293d476ea9162ae51717764cf4a2e1c3e0b699b36ed236712518b27ef726105f0bc30e18ec52acf259601936825a4499c8c0462fdb85c200f7

  • SSDEEP

    49152:2Huj6e/JwGC3Ibao3CpVwyK0eTw4ye3oSUTIeafKIen2:k8HoK0el3oH0euKX2

Malware Config

Extracted

Family

alienbot

C2

http://coulcoul.top/

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4293
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/x86/Qck.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4317

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json

    Filesize

    644KB

    MD5

    a06c48fa1a586095cb9b620e0744076a

    SHA1

    b6d8b5fffc66e2f71309566c7d5d50049a061dcf

    SHA256

    f4ea9d5991935841e172af4549431c24834bb4b65cc1944f50ef5978ea35754b

    SHA512

    b2df1c74c72e29179601938f0d5f7f637a315bbf55ac262e5b49b615c5d484476d129c1210a113b914685599ec2e6e4ed10381ce86d6b42637ec3aec718d754b

  • /data/data/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json

    Filesize

    644KB

    MD5

    2b2ab99c20d16510c1a007a6c4c8b74b

    SHA1

    a4e4a1bcd315fd157d1ccadd8ff34b5a1325e562

    SHA256

    0e4cd86a4e5351d1532051cd3dc479e1b618e1fc430e023bc91f873e7f0e3ace

    SHA512

    3b9cc61d67f005b5894f6d88f2ea3fb94c7f19b99a97195ef57a7ec80ec53d41f70aaba263eab86f7b8c05137e40b2ec96b3d5d82f0052e80703833253b36cbb

  • /data/data/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/Qck.json.cur.prof

    Filesize

    454B

    MD5

    a762c32d02f20de8ce1f640346b429b9

    SHA1

    b4ad429d8c6052067599767a46ff90455dceb0bf

    SHA256

    939a974d5bb2d4f301eb2e93fd5c761f5ccf78bb354da6395e832ee4a8512477

    SHA512

    cb5d7de112fa4e6eb417d6b473c01f045ee7e1d03c715f48c90e7f94b73e8f7bc9fc7649ad36021399c34d43ae7e1627236f8f0256624f11c7e53252f2678719

  • /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json

    Filesize

    644KB

    MD5

    000e16da2d6ce05ee7aa885d8692328c

    SHA1

    be819676c282d612f7910086ceffee56ad7b6555

    SHA256

    b141a38c3182a256c37262ed57eaa12adcac27981dba372f59dd2db267d596b0

    SHA512

    654db5d3c2281ddbf74ce6e508c70f024d382d7d8fa6fc4dd18bd1bccd14be1e893f560d91c9e27aba2b16fe85442283d1c4aec4978616dafe0b512c135e7a9c