Analysis
-
max time kernel
170s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
09-08-2024 22:14
General
-
Target
89ae74c9f062891c73ac61be992f2c7dc93b4160da2e3a495cf97b8746f75928.apk
-
Size
3.7MB
-
MD5
28ec8e44dfc136cb7dcd96223b4c976a
-
SHA1
b1fb3132ab02b4342961a61ee772f57fa563e22f
-
SHA256
89ae74c9f062891c73ac61be992f2c7dc93b4160da2e3a495cf97b8746f75928
-
SHA512
219ca2f43de16d25dfd9a205c69131f00d7e34123cec04fc128257beec34eeb88fc3da23e6550a9b5d509eafde42af5c66161432619a3b45633f8cdffa902b19
-
SSDEEP
98304:1mg77rJO9/NglwbSjF4DxuX3EBMcHQyx3HdQ6r94+3gQ:RpSbw+unUQyx3mIz
Malware Config
Extracted
alienbot
http://slmkekeexhrrymelaa312313.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 5 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
dawn.sand.mom1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355B
MD53c6fa300d4300ade59ea2002028de94c
SHA1c633a5cf7c930740bb25a79820bbcfb60d02fb4d
SHA25611449b2ba9043c29a8af19130c995f559ed5a124c0821a66284e1d244d1a7852
SHA51292a75fe05fec2eceac327dbbe489a59cc579fc6821e27573027ac02b8e38a4bd41eede94fa1e15321d47ade1cec02768ef12e4d42558431b51bb1a69197da7d6
-
Filesize
636KB
MD5a112f00ca6a26ec40da38b4c97fae235
SHA16b47774e2865b83c14e2be8577c5ce94875bbf09
SHA256596167bc94f808524412c30b0129574f36e4fa9d5ffc414b5c33b03db1926dff
SHA512b7226d3268b07a940b0b7abc75660db2100f3c021705cd117009321e54f0f048cb237d0768b369e1bd0f8f14ae614d0d4b5b1e79716b8cde39bd42e6fda4b870
-
Filesize
636KB
MD5c0621cad7f8bef6ea31cdb3f7da0c4ac
SHA15a2a871d17752519d398815c645a72b7ecc22574
SHA256ff870330237d94fd2054b52aeacfc7a1c03600784efd41f5bb0dd1ee94504077
SHA5124bbd93a2b32e69c0b7a3168a8fc42a95956e0dc7d8c2bcb1d2c782a3e2a669d73976c033fae11b926df81343ce0fc401c6e56483b358ab50d11aba431ccc2546