Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
136s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02/08/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
ac6ebea494bcc1aedf9cb36bf4f6bb5d383a4be98ce9d4130464d6120b9e0d7e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ac6ebea494bcc1aedf9cb36bf4f6bb5d383a4be98ce9d4130464d6120b9e0d7e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
ac6ebea494bcc1aedf9cb36bf4f6bb5d383a4be98ce9d4130464d6120b9e0d7e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ac6ebea494bcc1aedf9cb36bf4f6bb5d383a4be98ce9d4130464d6120b9e0d7e.apk
-
Size
2.6MB
-
MD5
03f367d932224419933e6a7390db2be7
-
SHA1
81fcf120e3290ce4398175bf6cd5baae163d93cd
-
SHA256
ac6ebea494bcc1aedf9cb36bf4f6bb5d383a4be98ce9d4130464d6120b9e0d7e
-
SHA512
182a818c7db2f9083040e6c05c71caa1403d38339e3123faf4c1bb12b7dd258bce340292bdc0734cf3ec1909b0104d9c1bd6e3eefcbbd60279d9a976647d2ede
-
SSDEEP
49152:tUaSRroAzZbU4tsiKqQyOJA/qtUor117Br0bsCI67ZfS/EzKLh3ACvx9U+q:t+1U4tFKqNUEqttx+s/6RSsKLh3AB
Malware Config
Extracted
alienbot
http://xenorap.ru
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/files/fstream-2.dat family_cerberus -
pid Process 4472 axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj 4472 axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj 4472 axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj/app_DynamicOptDex/QH.json 4472 axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj /data/user/0/axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj/app_DynamicOptDex/QH.json 4472 axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj
Processes
-
axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4472
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
682KB
MD585f2ade624bcdf04ebda639785b94f66
SHA15a49f9e5b5e16fb88ca44f912b8f69e7947034e0
SHA256c716dac42c4552c536f305ca7000a27675cb739f629f32be698dff8ef88dc712
SHA51275d83c02ea59d3e6cfec75909905faa4370e5a7fe7656131d5dfa441b672e0cbc3c4f4e08a374ded70ba1a24848fd7d1ee47dedcfce5f67353dc14f8ec154ff9
-
Filesize
682KB
MD53457f0c1c561bd81a690fb76d3ef8c6d
SHA15fd0587fad5f97c3b615c6208e946afc99b21f29
SHA25652a14479ed7b4d7ace10ea74b7340d313b87155a0275ab81904ec59aba87bcd2
SHA5125e0fb55a31b2c41cc26879e3ba14d1f416f27403d54789e2b82b14a4a7ab0d19ab7f2d57ab21131a1ae4692f3987abf3d7093e4f06e929d12e1a8876d1d0ab3c
-
/data/user/0/axgelzqacnkrhmdwurybmjbnars.xwps.odqpnmrnkfauxrushgonjhyj/app_DynamicOptDex/oat/QH.json.cur.prof
Filesize359B
MD54c1d944762377bb66b391b0684efec53
SHA129b1bc8b871aee0c6ee0d75f315bcf04093971ff
SHA256f19ac79ee8cd510b0fdae9c09b167f7195d7f6e700bcc322023cdd50d2879ded
SHA51232261ef87c1efd1015bcd4f5e3c5c4ead6d74547e216a81a45bb8bf55df2595e9b80bfc1bbe5b0910fc852f3882bbaa438db2ba2d81187cfd9642eb9673bfb59