Analysis

  • max time kernel
    74s
  • max time network
    82s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    21-06-2024 10:16

General

  • Target

    0f3c4594f761570c38484ac37c0ec52f.apk

  • Size

    1.2MB

  • MD5

    0f3c4594f761570c38484ac37c0ec52f

  • SHA1

    78f85545e92515f3b016d28df7d39828259056f0

  • SHA256

    64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d

  • SHA512

    344acff9322a72279bb1183378feea438575cc440fc6063dde61e27dcd7fbd92ae9a76b342035e86c384350f64cdea6a33560e419e6a955d4fc51794c54d0006

  • SSDEEP

    24576:r87rfoIVzz8VMnapL2359mnHksmwZ8o4KDMsIiHsWRmGo2KPKe0:I7rfoIVcMnahkPmnHkGJ/1rHBRmGNKP8

Malware Config

Extracted

Family

alienbot

C2

http://fxancc4fp4.site

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4288
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/x86/EaaGfe.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4345

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    104.21.59.19:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Fri, 21 Jun 2024 10:18:34 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1718965114&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nUbxWfOV3zdgM3FaGk6KzvsnWSNfsbmbhjrQIBCiyBA%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1718965114&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nUbxWfOV3zdgM3FaGk6KzvsnWSNfsbmbhjrQIBCiyBA%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 999
    X-Ratelimit-Reset: 1718965123
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8973415e48c106c9-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    fxancc4fp4.site
    Remote address:
    1.1.1.1:53
    Request
    fxancc4fp4.site
    IN A
    Response
  • 104.21.59.19:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.0kB
    6.7kB
    8
    9

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 216.58.201.110:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.187.206:443
    android.apis.google.com
    tls
    3.7kB
    7.7kB
    12
    18
  • 216.58.212.202:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
    40 B
    1
    1
  • 224.0.0.251:5353
    3.4kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    288 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.187.202
    142.250.187.234
    216.58.212.202
    142.250.180.10
    142.250.200.42
    216.58.201.106
    216.58.204.74
    172.217.169.10
    142.250.200.10
    172.217.169.74
    142.250.179.234
    142.250.178.10
    172.217.16.234

  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
    106 B
    1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    104.21.59.19
    172.67.167.151

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.206

  • 1.1.1.1:53
    fxancc4fp4.site
    dns
    61 B
    126 B
    1
    1

    DNS Request

    fxancc4fp4.site

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

    Filesize

    493KB

    MD5

    9d22ce43b6cd6cfadfe0a0a4ae2fa9a9

    SHA1

    ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7

    SHA256

    0767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10

    SHA512

    a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8

  • /data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

    Filesize

    493KB

    MD5

    84f673f013c88f1d22d4dca9a326ccc6

    SHA1

    fe3dd10e9764c70914a318374da696244c43a045

    SHA256

    e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389

    SHA512

    2ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780

  • /data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof

    Filesize

    310B

    MD5

    c9e68dd78edf7d9061c5b9d36485273a

    SHA1

    adeb33505e0fbf428a635ae8f5646ef5e8038e5b

    SHA256

    554c067c91a83fc8b5f4fb5f3c97c7058a149577b9485170f1672b2c0b83955a

    SHA512

    1d86a9487915bbd17f06181b2eb51792d0e9bdbdfe10004605b1ead0d3f251858f66c8ca7128ad9e9e5e285bfc128031f897a9881a2fd85a04a2c6e3eb7c8fbb

  • /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json

    Filesize

    493KB

    MD5

    81b9a9ccd202d616cc329cb5a6b222f3

    SHA1

    807994666c81523d80eceff9c9808e19231647e7

    SHA256

    a4d69a170fbdd94054ee097562a933d87e59feefa702a97d9b6d1d013b369741

    SHA512

    d617f1336f3597b19f0334e96c8a6b5dc8f7a26f17c740c8afb6a49e47ca52549bb79a2df4864b3ce6d74cb079437f06417cfb84d714c162c3279980ae2c8812

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.