Analysis
-
max time kernel
145s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
05-10-2024 10:12
General
-
Target
1742936fc3118792758eaecef0991ea3_JaffaCakes118.apk
-
Size
2.6MB
-
MD5
1742936fc3118792758eaecef0991ea3
-
SHA1
c939e399263a53f5e5e4563085e5ff85a7ab0352
-
SHA256
057809e3b42b8b7a4f437a8cdbed5f7b78da66127794f8a9bf4f686693544be3
-
SHA512
13fd7c45e0af19d37336bea774977ab074aecb285f24e7e95cb23bb0d4b460f1165ccd014d532f8c9a45842bd2779205834048eb06896b4b9819581090a30b7a
-
SSDEEP
49152:rPUYehPA5dhtJMZejNQLHmWSCcA0+RBKCRvwCXj0AxhAg6o:LUYexAbdMZUOlh9xwCXoAxhKo
Malware Config
Extracted
alienbot
http://rareqtereqqer.sbs
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 7 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
able.version.fever1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD53b68ce7ea7294a71a587dc962d15d0ea
SHA1a3ec21155c3dfd7e60e9ad2e34eba2fe617e62c5
SHA256e90d108a13e45aa2cfd567da2027882201630f123b893a36c22a78ed6616d68f
SHA512100c667f8fd17986a740511ab54b1015b172368c1e9cfe70333cce8f89fd649067bb89e74da4380053e7f2a8a68928d3e13bf0fe3695276cb7351b153b27f370
-
Filesize
735KB
MD5d77b349c02be5c74972e14cf92890e2c
SHA1b4da5de3a4d634ee494d3c970946d0a8dbbc27f6
SHA2561054587f97139175e5c23a5374a2a9123a4183f16bed070e03537aead750b8ab
SHA5127701756fca6df25bb5b2a1c7dd776a6a301047ab6b955c54b8572e0047431fac34c79d0c5c0a7393f0f602c6bca0d43087c9b7f839c533774ea7df16ad00da12
-
Filesize
405B
MD5fa14491d65b7cdd23ce67d6252a3ba79
SHA118092a9ab12b8d34577c94db59731901d913a5e1
SHA25693b065b26a1ec9705b4068848b0bd07ebcb4bdcded310d691e0b18c2053dd283
SHA5127e1693fd54eae640a7f3f63baefcabad20197f36c1d253b9b545cb52e8f0edb7cd9b3d859624bfb43e0e6eea1503dcca2e3b781eeca8ef360584fb0d681220fe