Overview

overview

10

Static

static

6

87321bfd3a...18.apk

android-9-x86

10

87321bfd3a...18.apk

android-10-x64

10

87321bfd3a...18.apk

android-11-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    31-05-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87321bfd3a2b14b47ca08886b1eb20ac_JaffaCakes118.apk

  • Size

    2.0MB

  • MD5

    87321bfd3a2b14b47ca08886b1eb20ac

  • SHA1

    e32375397d42ff740afc39530c4254f461e27c29

  • SHA256

    16b3b4b41cdb2f415c09a7c7a486f8a3542abaa6cd17a41c80ed1b1bc7a81884

  • SHA512

    2f4816bac87108293d476ea9162ae51717764cf4a2e1c3e0b699b36ed236712518b27ef726105f0bc30e18ec52acf259601936825a4499c8c0462fdb85c200f7

  • SSDEEP

    49152:2Huj6e/JwGC3Ibao3CpVwyK0eTw4ye3oSUTIeafKIen2:k8HoK0el3oH0euKX2

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://coulcoul.top/

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 10 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4676

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json
    Filesize

    644KB

    MD5

    a06c48fa1a586095cb9b620e0744076a

    SHA1

    b6d8b5fffc66e2f71309566c7d5d50049a061dcf

    SHA256

    f4ea9d5991935841e172af4549431c24834bb4b65cc1944f50ef5978ea35754b

    SHA512

    b2df1c74c72e29179601938f0d5f7f637a315bbf55ac262e5b49b615c5d484476d129c1210a113b914685599ec2e6e4ed10381ce86d6b42637ec3aec718d754b

    Download Submit

  • /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/Qck.json
    Filesize

    644KB

    MD5

    2b2ab99c20d16510c1a007a6c4c8b74b

    SHA1

    a4e4a1bcd315fd157d1ccadd8ff34b5a1325e562

    SHA256

    0e4cd86a4e5351d1532051cd3dc479e1b618e1fc430e023bc91f873e7f0e3ace

    SHA512

    3b9cc61d67f005b5894f6d88f2ea3fb94c7f19b99a97195ef57a7ec80ec53d41f70aaba263eab86f7b8c05137e40b2ec96b3d5d82f0052e80703833253b36cbb

    Download Submit

  • /data/user/0/tqhngfl.lyafndlhdlhcljijnmatq.fbncxwydzrpiggwiiwmarg/app_DynamicOptDex/oat/Qck.json.cur.prof
    Filesize

    333B

    MD5

    3072b53322506373af952b93073d4c4f

    SHA1

    192259a59ac96a69e28549347e50441cca05502d

    SHA256

    5a24359cd0a60a4a1b7481a2d79133f8895df1e7701270d4ad90c338f71c58d3

    SHA512

    3d703b977415068d29e469376d22130c9ca13c2a8c0c3e8b7d1972fc0e0036726f7d1fe3d281fe759f7380584e12376122df9f0d314fa6dd698dfe5ff3400a52

    Download Submit