Analysis
-
max time kernel
112s -
max time network
156s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
22-10-2024 05:58
General
-
Target
0f3c4594f761570c38484ac37c0ec52f.apk
-
Size
1.2MB
-
MD5
0f3c4594f761570c38484ac37c0ec52f
-
SHA1
78f85545e92515f3b016d28df7d39828259056f0
-
SHA256
64f9d97353ef326a58622f329097a282a5a09e0ab636136fb9cb3ab716f5664d
-
SHA512
344acff9322a72279bb1183378feea438575cc440fc6063dde61e27dcd7fbd92ae9a76b342035e86c384350f64cdea6a33560e419e6a955d4fc51794c54d0006
-
SSDEEP
24576:r87rfoIVzz8VMnapL2359mnHksmwZ8o4KDMsIiHsWRmGo2KPKe0:I7rfoIVcMnahkPmnHkGJ/1rHBRmGNKP8
Malware Config
Extracted
alienbot
http://fxancc4fp4.site
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 6 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
xtfyqftuwxhcp.dnxhlssmkbwtkitdxwuhzmiz.szadohuobgujqujnuaznwwht1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD59d22ce43b6cd6cfadfe0a0a4ae2fa9a9
SHA1ed8f4cc20b653c70d9c54a73ef0fd12b90e8cdb7
SHA2560767dba685a392eb56e2e661e02223e8b9a13ef718a4503ba7f28c82f32f9c10
SHA512a46cdb90ecb6fe7f038738b810f80b5480e40c3d8cb90a2f7dafb02339e40af157bb54bbad98696d95c461297a4268468f01a67f7f4ca60522c133bdd1f8bcc8
-
Filesize
493KB
MD584f673f013c88f1d22d4dca9a326ccc6
SHA1fe3dd10e9764c70914a318374da696244c43a045
SHA256e280412c1cf95ee7d90c789e8c39cd3225ee7cc9fc5732e1c0489f2a3c40f389
SHA5122ca531d45906be66ef5cae426d17f42ba107e28e75c1cd176d48d4e2bd15156d2955b7488cf4ed57ef9ab013d9727ae596e7d65af845c8e0aa8527ed9a023780
-
Filesize
219B
MD5ea174cab326e4170f2ba30dba8bc08d9
SHA18cc070c0acea68399b71c013199b5feba28673d5
SHA2569136aa66613b60d875a2aa587a5fe0728eb277882e2736a163b545ba1b3a60bd
SHA5124530cb43d7df47cd1543f6866bb2f0d7e523621f90d76a2157d730f979172a3008c66c5ae8c31b4bb5740a3cd7db5d97b38c1dd2bc4b157095fe8336bae7dd56