Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

89483eb024...79.apk

android-9-x86

10

89483eb024...79.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    01/10/2024, 22:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89483eb024e0ef407ed654efd45527390b51559453473fa388357216c38d0979.apk

  • Size

    3.7MB

  • MD5

    ff065ca5e98ea4d5b8ace14c1fdc9471

  • SHA1

    333f5d5aae17366685ed3783a81bf7bf888bbc54

  • SHA256

    89483eb024e0ef407ed654efd45527390b51559453473fa388357216c38d0979

  • SHA512

    de2787aaa37d5e13bfb76ff5f1e6aa770fbd5e37d1161bce848193925ae33ec3901e01083f7affa6a642b0c03ffbfb42054219ca6a06ee66fdc566cd0a5eb9ab

  • SSDEEP

    98304:hX0jXcKay8gfBYLdWfQhln9o/5//9v5BngNFTUgIwrLlg/m1Va4k3hAxU:4Xc88AYLdWq9GXBng3swfAm1ED2U

Score
10/10
alienbotbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://1vq90ijfs1rqa6ngork8.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • co.expose.airport
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/co.expose.airport/app_DynamicOptDex/KswczttIvuq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/co.expose.airport/app_DynamicOptDex/oat/x86/KswczttIvuq.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4287

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    172.67.167.151:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Tue, 01 Oct 2024 22:13:04 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1727820784&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=EkI23rAUgKV9kFi05Ao%2BWDdY0Z%2BIbtwHKu%2FuBW5rJfA%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1727820784&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=EkI23rAUgKV9kFi05Ao%2BWDdY0Z%2BIbtwHKu%2FuBW5rJfA%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 999
    X-Ratelimit-Reset: 1727820837
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8cbfcc3e2b974173-LHR
  • flag-us
    DNS
    1vq90ijfs1rqa6ngork8.xyz
    Remote address:
    1.1.1.1:53
    Request
    1vq90ijfs1rqa6ngork8.xyz
    IN A
    Response
  • 142.250.187.206:443
    tls, https
    689 B
     40 B
     1
    1
  • 142.250.187.206:443
    tls, https
    689 B
     40 B
     1
    1
  • 142.250.187.206:443
    android.apis.google.com
    tls
    3.6kB
     7.9kB
     13
    18
  • 172.67.167.151:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.0kB
     5.0kB
     8
    8

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 142.250.200.2:443
    tls
    135 B
     40 B
     2
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.206

  • 224.0.0.251:5353
    3.9kB
     13
  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
     106 B
     1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    172.67.167.151
    104.21.59.19

  • 1.1.1.1:53
    1vq90ijfs1rqa6ngork8.xyz
    dns
    70 B
     135 B
     1
    1

    DNS Request

    1vq90ijfs1rqa6ngork8.xyz

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/co.expose.airport/app_DynamicOptDex/KswczttIvuq.json
    Filesize

    697KB

    MD5

    b5380c8a12bf679a95360b83e903ee54

    SHA1

    0c7eeb44fc233dc6744f4022b8ef521b48fa913d

    SHA256

    59b550b9db71057e60dd05b874e7d8f61a9d631a2780d82c66843df651389923

    SHA512

    b008ece4012fc406c5d6e2ec275bd693bae4bb3ab5e45d69933124d76b61087150cb68eb1b2bc191c731c2019ef5b96d689dac5bb748078bd178d1631e565342

    Download Submit

  • /data/data/co.expose.airport/app_DynamicOptDex/KswczttIvuq.json
    Filesize

    697KB

    MD5

    7d73162f16110b7846c47e9933c39b7d

    SHA1

    e41d3ad627d628f80aad0cbce73c56cfe4934ba8

    SHA256

    1134506c78cd333905294454f5f07d26281feb1ed012f85c725733971c333b10

    SHA512

    5bc62c7b8e06365d4778ce8956c97d3d3aa305e2cdbe27ac73125316f6c2d7be9544f3f881fc26d697f0f67b8bbbfeb346a90b83fdcf1a46461552c1bb4a9e6f

    Download Submit

  • /data/data/co.expose.airport/app_DynamicOptDex/oat/KswczttIvuq.json.cur.prof
    Filesize

    1KB

    MD5

    685a3996a8fec62b873afc9692c054ad

    SHA1

    254616b4d4ba7a7ff9fdacf09233b10afc2694b1

    SHA256

    22c3672b0c510b0f6d24a7a7af0302c671ae4bb49cff57e92505e3b25ebdb9c6

    SHA512

    edb405fd9e3977baefe9330d7c6865c9ea8d6fdc545ca1af4708fadc25d38f577aefbb9dbfd7c6d5f7cadd3074be6bc6219a7d313b90457c903709d21df3d119

    Download Submit

  • /data/user/0/co.expose.airport/app_DynamicOptDex/KswczttIvuq.json
    Filesize

    902KB

    MD5

    0566eaba60dead2318740abf9560169a

    SHA1

    0d089e932ee5757c5870be5435eb2d78e631ca46

    SHA256

    c680f6657426548e54f063d25437e1eb222bab04f79cbd2ad1c68093d53641ef

    SHA512

    95cdc899c1483533b3bfd35829afccf13481cf8124d7a94f4870c710d3cfe285fc172f3f43efbb34acb28ae40df1f2f8bdc4a562c8cb8370f99f48f9ab539a54

    Download Submit

  • /data/user/0/co.expose.airport/app_DynamicOptDex/KswczttIvuq.json
    Filesize

    902KB

    MD5

    1483a6149888ebdb02257b9ea6becb36

    SHA1

    cd1f436be8d30904000b19906797ac071d7f3b9b

    SHA256

    8368ae02add3552f005861f9e18a6bcd342428cf0bc0c2eec47a25d6baa7629f

    SHA512

    9817719deb4a20af91c493b1ced878b34a9764ac4ff54096dc650c0f476150d7331d24dec82e7cd90080cb864e9a437e04fe45a141111cc9ce84919f61e6857e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.