Analysis
-
max time kernel
139s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
12-09-2024 22:01
General
-
Target
78cd685e42e7a1a8508e542c33dba94c217317406ed2fe1cb027784399fbd3b8.apk
-
Size
2.8MB
-
MD5
3e5c6714fa93b8e8a3afaaf34e9b130f
-
SHA1
9aeb8ebd14e3d3db6fff393b6df0393084faddf1
-
SHA256
78cd685e42e7a1a8508e542c33dba94c217317406ed2fe1cb027784399fbd3b8
-
SHA512
a445f7d91502af13e32cb68a43a43d957abb1ac972edb503b662dd71d372a7ee017ab1d850ef04dfb97799ebadbd7573b2e62d4c8cf659f7ab88d10e40c292b0
-
SSDEEP
49152:ChICrrqHXAov413IPw83X2/4D4+us8Ctl+TPOhnFv1p+HhHUODSIk9366:5grqHwoAKIem/4E+ljhnFvmNrMs6
Malware Config
Extracted
alienbot
https://herkularasdfasa.shop
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Removes its main activity from the application launcher 1 TTPs 7 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
com.kzoxdsmc.zuetopzw.jppxugms.nwjwqnjy1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
774KB
MD5b311b94820b1a9b48f722896b892c15d
SHA137d3860ed8c397089f3a29c43b613b699ba004fc
SHA2562c2cd57a09edcb23f0e8ef7c021136e59bc7d57e95efdd502ab07bc2557ee9c3
SHA512740d1b55c07b96578781be6e0e7d5042041aaf94c5ad0c1949d732f6fd8997ccbe465fb2ea7c6e9fd9c33a50df75fbea6cd258970acfaf472e39fea83a45856a
-
Filesize
353KB
MD56092c350817998fe3b51e8ef82959a91
SHA15c0d543568471741c3b34e45997a2bfa045d0f44
SHA2564e3f0eed74dd385427431bdc98a5506b82ccc61598ba99c2bd3f7ef7431fd2ab
SHA51208942021d94fc232494fa2c85a82dc1cbe031cce8fe44437cd8b1e6d736d3b74bf1adee43d98b560463336934b856853f98319528b2664e02e01e6a43627c155