Analysis
-
max time kernel
179s -
max time network
166s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
-
submitted
03-06-2024 12:57
General
-
Target
8e7477bedc4719ba7e16b36d855003344822954c6963511625e6a740eea11650.apk
-
Size
662KB
-
MD5
6a006852e82627d329d50d088243158e
-
SHA1
dba0c779f195690315e45a9efc941caa0232afdb
-
SHA256
2c054cac2457e115bfd419be7ccecff5feba17a974e1a65b1b5a94129ec4d80f
-
SHA512
537e0af67153ce92a1f9016e919b57fbebe7062d1fd098c375b5a5384174f16c974cd4c489028f7ab0afefb206d5564e7b663685cbc5ef944994673a7d2b1896
-
SSDEEP
12288:FDOl+dl8W7FaigCPnOuj/8KmC/ab5KbA7criWQX2xpJd9c:FDe+UW7Fpv+KR/aVK07q/QmxpJd9c
Malware Config
Extracted
alienbot
http://0lkoypi8ckkv9e.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
-
Removes its main activity from the application launcher 1 TTPs 9 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
acceptance.proof.uncertain1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries account information for other applications stored on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1