Analysis
-
max time kernel
174s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
09-07-2024 01:28
General
-
Target
2e87bd0a77bfdf78ff50634b0ec1c7ae_JaffaCakes118.apk
-
Size
2.5MB
-
MD5
2e87bd0a77bfdf78ff50634b0ec1c7ae
-
SHA1
bad2213ebcc52dfaf7f1d7ce9a383f9e2839b3be
-
SHA256
4170716a6c14eb2d60318a3d383d702899d015c343d0039ca0d061e330942a90
-
SHA512
cd398927fff7de44291be8cce05890c3c462e994608e6cf62deaa170e45a14662d656bbcc3080b4c786443f2308c1e1f2ba8900f5e234d8b89bf019e50c7537b
-
SSDEEP
49152:K1eNpbCI/Fn2JYivBGT8ltRwHnS4Gz9TL16o8TI:K1ClFSlBGT2tyHSVhLV8TI
Malware Config
Extracted
alienbot
http://allahiniyerimm55.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 10 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
verify.delay.attract1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343B
MD5bad1ed13acc90088b9dade45d679f3f7
SHA1a91655bc39500194595e87c3c70ff7eee6d20a33
SHA256f6bfeb4dd913f7b98c4327e84542149e1caca4afd4464fb16b72df64a09d2907
SHA512aff69b3d56b2a9f8b70628b11c974eed5e370a3d795bd3f05a31b191feeef66269ada2cee7db074c12381893ab26eeb03e5a17ce1f7b9c61e5d33c5b24359229
-
Filesize
685KB
MD5373bcdfe74f6183d4073578cc3833fb3
SHA17c26380afdcc9016e86d823930be4042ebefbe26
SHA256a15ee207b5ddd312a8ab49b49bfe297e5cbd626645b2dc94c6b53cb991b32bde
SHA5128632dade2256dec342886fbeec0ff8556bce796b1a3e582b6cc6c6343715558f4679e740c805217020b3a65a29a30db0f81ecdf04c4013a4ed9497fcbfe3a1bd
-
Filesize
685KB
MD51b442e98c86cd339fc7f16955253d376
SHA1995fe0082a0dbe8927fce7039cb57b58a5c0d4ca
SHA256a997c227fa52c32653ca0e35d9553f54a7bcd652604726aa12821c2ffeb07500
SHA512b067f8a684a979e81c96c043e099dba5d6ab595849f405e9e71620a37b3bba29465d5f5c170ecbab0a827ea5cd56eee2317aaffb52c753421310debb0b9eb914