Analysis
-
max time kernel
74s -
max time network
82s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
21-06-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
0f3c4594f761570c38484ac37c0ec52f.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
0f3c4594f761570c38484ac37c0ec52f.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
0f3c4594f761570c38484ac37c0ec52f.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
0f3c4594f761570c38484ac37c0ec52f.apk
-
Size
1.2MB
-
MD5
0f3c4594f761570c38484ac37c0ec52f
-
SHA1
78f85545e92515f3b016d28df7d39828259056f0
-
SHA256
64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d
-
SHA512
344acff9322a72279bb1183378feea438575cc440fc6063dde61e27dcd7fbd92ae9a76b342035e86c384350f64cdea6a33560e419e6a955d4fc51794c54d0006
-
SSDEEP
24576:r87rfoIVzz8VMnapL2359mnHksmwZ8o4KDMsIiHsWRmGo2KPKe0:I7rfoIVcMnahkPmnHkGJ/1rHBRmGNKP8
Malware Config
Extracted
alienbot
http://fxancc4fp4.site
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_cerberus behavioral1/memory/4288-1.dex family_cerberus -
pid Process 4288 xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json 4288 xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json 4345 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/x86/EaaGfe.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json 4288 xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht
Processes
-
xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4288 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/x86/EaaGfe.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4345
-
Network
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A172.217.16.234
-
Remote address:1.1.1.1:53Requestjsonplaceholder.typicode.comIN AResponsejsonplaceholder.typicode.comIN A104.21.59.19jsonplaceholder.typicode.comIN A172.67.167.151
-
Remote address:104.21.59.19:443RequestPOST /posts HTTP/1.1
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: jsonplaceholder.typicode.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8
Content-Length: 40
Connection: keep-alive
Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1718965114&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nUbxWfOV3zdgM3FaGk6KzvsnWSNfsbmbhjrQIBCiyBA%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1718965114&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nUbxWfOV3zdgM3FaGk6KzvsnWSNfsbmbhjrQIBCiyBA%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
X-Powered-By: Express
X-Ratelimit-Limit: 1000
X-Ratelimit-Remaining: 999
X-Ratelimit-Reset: 1718965123
Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
Access-Control-Allow-Credentials: true
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Access-Control-Expose-Headers: Location
Location: https://jsonplaceholder.typicode.com/posts/101
X-Content-Type-Options: nosniff
Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
Via: 1.1 vegur
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8973415e48c106c9-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.187.206
-
Remote address:1.1.1.1:53Requestfxancc4fp4.siteIN AResponse
-
1.0kB 6.7kB 8 9
HTTP Request
POST https://jsonplaceholder.typicode.com/postsHTTP Response
201 -
858 B 40 B 1 1
-
3.7kB 7.7kB 12 18
-
1.2kB 40 B 1 1
-
3.4kB 11
-
80 B 288 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
142.250.187.202142.250.187.234216.58.212.202142.250.180.10142.250.200.42216.58.201.106216.58.204.74172.217.169.10142.250.200.10172.217.169.74142.250.179.234142.250.178.10172.217.16.234
-
74 B 106 B 1 1
DNS Request
jsonplaceholder.typicode.com
DNS Response
104.21.59.19172.67.167.151
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.187.206
-
61 B 126 B 1 1
DNS Request
fxancc4fp4.site
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json
Filesize493KB
MD59d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA2560767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8
-
/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json
Filesize493KB
MD584f673f013c88f1d22d4dca9a326ccc6
SHA1fe3dd10e9764c70914a318374da696244c43a045
SHA256e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA5122ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780
-
/data/data/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/oat/EaaGfe.json.cur.prof
Filesize310B
MD5c9e68dd78edf7d9061c5b9d36485273a
SHA1adeb33505e0fbf428a635ae8f5646ef5e8038e5b
SHA256554c067c91a83fc8b5f4fb5f3c97c7058a149577b9485170f1672b2c0b83955a
SHA5121d86a9487915bbd17f06181b2eb51792d0e9bdbdfe10004605b1ead0d3f251858f66c8ca7128ad9e9e5e285bfc128031f897a9881a2fd85a04a2c6e3eb7c8fbb
-
/data/user/0/xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht/app_DynamicOptDex/EaaGfe.json
Filesize493KB
MD581b9a9ccd202d616cc329cb5a6b222f3
SHA1807994666c81523d80eceff9c9808e19231647e7
SHA256a4d69a170fbdd94054ee097562a933d87e59feefa702a97d9b6d1d013b369741
SHA512d617f1336f3597b19f0334e96c8a6b5dc8f7a26f17c740c8afb6a49e47ca52549bb79a2df4864b3ce6d74cb079437f06417cfb84d714c162c3279980ae2c8812