Analysis
-
max time kernel
177s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
31-05-2024 13:41
Static task
static1
Behavioral task
behavioral1
Sample
87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk
-
Size
2.0MB
-
MD5
87321bfd3a2b14b47ca08886b1eb20ac
-
SHA1
e32375397d42ff740afc39530c4254f461e27c29
-
SHA256
16b3b4b41cdb2f415c09a7c7a486f8a3542abaa6cd17a41c80ed1b1bc7a81884
-
SHA512
2f4816bac87108293d476ea9162ae51717764cf4a2e1c3e0b699b36ed236712518b27ef726105f0bc30e18ec52acf259601936825a4499c8c0462fdb85c200f7
-
SSDEEP
49152:2Huj6e/JwGC3Ibao3CpVwyK0eTw4ye3oSUTIeafKIen2:k8HoK0el3oH0euKX2
Malware Config
Extracted
alienbot
http://coulcoul.top/
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_cerberus behavioral1/memory/4293-1.dex family_cerberus -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
pid Process 4293 tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json 4293 tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json 4317 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/x86/Qck.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json 4293 tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg
Processes
-
tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4293 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/x86/Qck.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4317
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD5a06c48fa1a586095cb9b620e0744076a
SHA1b6d8b5fffc66e2f71309566c7d5d50049a061dcf
SHA256f4ea9d5991935841e172af4549431c24834bb4b65cc1944f50ef5978ea35754b
SHA512b2df1c74c72e29179601938f0d5f7f637a315bbf55ac262e5b49b615c5d484476d129c1210a113b914685599ec2e6e4ed10381ce86d6b42637ec3aec718d754b
-
Filesize
644KB
MD52b2ab99c20d16510c1a007a6c4c8b74b
SHA1a4e4a1bcd315fd157d1ccadd8ff34b5a1325e562
SHA2560e4cd86a4e5351d1532051cd3dc479e1b618e1fc430e023bc91f873e7f0e3ace
SHA5123b9cc61d67f005b5894f6d88f2ea3fb94c7f19b99a97195ef57a7ec80ec53d41f70aaba263eab86f7b8c05137e40b2ec96b3d5d82f0052e80703833253b36cbb
-
/data/data/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/Qck.json.cur.prof
Filesize454B
MD5a762c32d02f20de8ce1f640346b429b9
SHA1b4ad429d8c6052067599767a46ff90455dceb0bf
SHA256939a974d5bb2d4f301eb2e93fd5c761f5ccf78bb354da6395e832ee4a8512477
SHA512cb5d7de112fa4e6eb417d6b473c01f045ee7e1d03c715f48c90e7f94b73e8f7bc9fc7649ad36021399c34d43ae7e1627236f8f0256624f11c7e53252f2678719
-
Filesize
644KB
MD5000e16da2d6ce05ee7aa885d8692328c
SHA1be819676c282d612f7910086ceffee56ad7b6555
SHA256b141a38c3182a256c37262ed57eaa12adcac27981dba372f59dd2db267d596b0
SHA512654db5d3c2281ddbf74ce6e508c70f024d382d7d8fa6fc4dd18bd1bccd14be1e893f560d91c9e27aba2b16fe85442283d1c4aec4978616dafe0b512c135e7a9c