Analysis
-
max time kernel
170s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240611.1-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system -
submitted
19-06-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
bd361bd641a75b16ae3e3ba388c3c42c_JaffaCakes118.apk
-
Size
1.4MB
-
MD5
bd361bd641a75b16ae3e3ba388c3c42c
-
SHA1
d9518d572c576afeabc568a53e6b7daa8dee76d7
-
SHA256
7787ca51a67c54a82a6e0a0378a2df1e9c3817560838fd3fcfc87d855686ef24
-
SHA512
42889c7993f957780c3392bbd341b550a4f263bdb9976e6d143f80bc4514310b3ddbb9648c48687f90a0db9d71e9093afb1307099575bb14d574c2b2e7495363
-
SSDEEP
24576:jbgZqAMipL6u5p+Gn/fndHbB8MOIBNlLQ3w/rVd8AGdF4JWO5VB4Pr6NBGSrpcP2:ojMip3Sw/l7qwN1Q3MrjVGdF4p5VBv6I
Malware Config
Extracted
alienbot
http://tyrantthrone.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/files/fstream-2.dat family_cerberus -
pid Process 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy /data/user/0/ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy/app_DynamicOptDex/RbnU.json 4567 ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy
Processes
-
ocrgwbhbazwrwsxoi.azqajwqcdpsn.dorpbrfy1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4567
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD571af9635dadb0b61d4b994779fe9474f
SHA1083697ac399e7f27c23e2fa18de400d6c4ae16d3
SHA2561e99f925152e9fa9ca4b37cd0ce8b29d1b37b0794bd221f70b6107131b4f720c
SHA51241fc40ca9a8b3d4a8b03c75cfb3d9be4de28191fadca409cd6198b90e30c87b65ef3fbb8428027c2bd7a647a754d25bcfdd0db7f8a49bab108ec192f1ebd39c7
-
Filesize
694KB
MD5890f5dcfe976d040943d0657921187bf
SHA1fb0954481fa8ba91e44e8a1b156b84ac5bbb5909
SHA256ce9b54128ae868af7b803eb241e34ee7ba7cef8a6bb9b8d31b58af9129ecfe29
SHA5122d906524ad87b3efdef39c1dce928a6600c30e1c11fd7a2ffe911a996fc66d24c55324fa6fafa5db9686abacc7d250dc1c346cf9a358b2142d9c227fe7cf9cbf
-
Filesize
342B
MD5ca227806061aaf9a47b54152711ccb90
SHA179495c87208da204284732ef520ef7bdd5f8d9f1
SHA25690e1d052167734d444875e50942fdc64edfd83453ca04277f2bca9c33bdfe393
SHA512992fee291ce51e4e3b199fe8889401d0a6b1c9920d9d427629c887e77ca4f491e01c51b1d4adda2aab7d0a0211967370d6444ee6642311ecd9402faa30b78f5b