Analysis
-
max time kernel
140s -
max time network
149s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
08-10-2024 20:02
General
-
Target
24b12a6b58a37dfa57a7563883efabea_JaffaCakes118.apk
-
Size
2.8MB
-
MD5
24b12a6b58a37dfa57a7563883efabea
-
SHA1
0a93e315530ac6a65f701869bebfd48c7ca40486
-
SHA256
afa85eacbcb9e4cb13d962449663ca0060eae579b33e0806c9ddecdc8d095830
-
SHA512
e6ba864194558ee1afd82e2edf84412e76c45f3c4d31f07f241bf29fbedaceca855b29e31ef283ab536c7533e326218ccb3a3201634fc23e83fc29f7cfd77cf6
-
SSDEEP
49152:J8ujrWNGlYI9L9kjA5MtSRqzYsy6O7EHK35UPPCaBNNPfjElyDHp9nqHcnReiIQq:JkNahV5/UY9Dj2nnPTplKcnRHI3qm
Malware Config
Extracted
alienbot
http://194.163.136.78
Extracted
alienbot
http://194.163.136.78
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 8 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
asset.margin.pipe1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
685KB
MD51221a8143f5ba9aa97092d586920d054
SHA1e53b302d47d078701bd3c096833d3cb4692749f2
SHA256fa23ec08d24705deacb41545a3ca21779e2b1c0845dcd400d27ba2754eda2547
SHA51253af00702725719d386685be945e943cdeb5d435deb9dd4a71ce4b3ab56a3e86efc4da6061ea56f8a82953617ead7f26047c1a32770e77ca70a4d8eb47424afa
-
Filesize
685KB
MD5f1184c0f3cd2fa70c590484035e9d32a
SHA176fa99121538d74ac89a9598f107e2c4ece7717f
SHA2565d7cc286da591ab8f960570810260bda6dff78f51d5b03229841eb84f76ca434
SHA512d17c2c61be6863e945fa514e9d7c1c6dbed1781baf35c8e630cc7c68608aec31f233f1fd2cdbcbeadffe0a0ffc479d06442fe263476691859036a8b78b32ae9c
-
Filesize
368B
MD51905f1cb23fc1e6ab162442905ef6b67
SHA14959c6a32f9877e91068f52885b2dc3f4b87b560
SHA2561b57bb9da2dea8c6dfcd29a2e6a5ec43e1eeda289e3a5d7043d4ad1fa5fa3ff2
SHA512fec39fae5d2e19e80299d7e380e1a57e53d67e5787f54481d3c72aeae31271cd9f8065c0ac307942f9454bead3dc6383dd1d2419f4b17ceb1de658d39ae724f4