Analysis
-
max time kernel
172s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
28-07-2024 08:26
General
-
Target
107ca9c97bfe522ae4e69fdb2b17fca6_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
107ca9c97bfe522ae4e69fdb2b17fca6
-
SHA1
9695a3a919a414edfdce30c0f240df82134bb897
-
SHA256
23d0b7233ab3f7195e58d643703b14d38030b833c0d8820e42fef09f55ed4c36
-
SHA512
1da12b4029b1e98533542a6a80c66942d1943c9cdcc0490d9cfa0ffe53bb8f37719a861d821b41ad22571c10196515418b4d2213f12e35c1315b78d291931dc5
-
SSDEEP
24576:XIEs8ZMmIHDJERdPz8Z/Pwxbz1hmTSGfYqmE7XRDxmIHWDP1UxzSlehpOJx5KrIF:NjZoHDJERdo/YRz1sSGQE7hDhHWuR+vt
Malware Config
Extracted
alienbot
http://xancc4fp.live
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 7 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
zxistjp.sjxi.eddnhgyngpw1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5afc3cae51fb680ca7b424529ab66a437
SHA1866f500b4b05bdd3952115305be62c967ea45ece
SHA25695e5b340206dc89b5d841185fac060844b6b7bf80125e6171affd57a9a59eba9
SHA512a099aeb7bc848c5eb16eac97308cf519d132d5c2dd84d7f24cdc0e4829cc1fb8e3ebce27f9cd608838b3dc863129d4e730fbe46ff41aefd779f584ca7b53f384
-
Filesize
461KB
MD55525d2d7242a673bd14b2646eb6892ce
SHA18569d69cb00c7f258a3cba753b0f84a526efd59d
SHA256d75652f974958ebe94068708bf8a85927d62d66bacee864b52a61f4e879da3c5
SHA512135b7cfebe8e0dd5f4aa5ba851ddee9fa3737a690882f810b3c863cc0868b3cc9af1899d33627cfa20f0007d47401825a42b7cf74c169b824b79ff1a476d1371
-
Filesize
461KB
MD554dc5fa4683ae04014be3c09c64863cf
SHA1200700369c9b3d8692acc3e2cf94d1848afb12bb
SHA256ae61721e460243fb0bf4dd6a03eb26610377ccf63490c5dafdd30cb5c4843b38
SHA512159a52babd7260183d55737fe61bb897a1efd9889e838711815b2807b6e77fc0d380ee37c6f20921fec61c02506e90e66c0dc8440beea2131ca9f118c00ec2da