Overview

overview

10

Static

static

6

NEAS.28cf2...8b.apk

android-9-x86

10

NEAS.28cf2...8b.apk

android-10-x64

10

NEAS.28cf2...8b.apk

android-11-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    22-10-2024 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b.apk

  • Size

    2.2MB

  • MD5

    f962034252259d770995b760cf804ed4

  • SHA1

    92a4967469877bb134e81bdaec0a8a1171c79dc6

  • SHA256

    28cf23f76582b13705346e8fe77802785267e6b2ab2072bf9c2b9b918b2b588b

  • SHA512

    7a96a65c09cf73689c041b8a4de219c6fef2a1b824efa925baf9b6afe2a8ed314c044d631d6106d30df69b5b1c593949516668650c25fbc80921f1afeeb33c7c

  • SSDEEP

    49152:K7wyceKi6ssGECKmviJRpLof9/n39pdRxOKTH1luTdMS:5ZLmE9AQnLUF3HMKTHSdX

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://comolokko4152ertausicken.gq/

rc4.plain

Extracted

Family

alienbot

C2

http://comolokko4152ertausicken.gq/

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.timber.funny
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4479

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json
    Filesize

    238KB

    MD5

    b9ef71e496c13f1d0adb890f09b0a6ac

    SHA1

    a0b768653d33a43094ec5d325fd14169f8e2943f

    SHA256

    2681dd696c408d25daecaa524b7ea7a8491e94cdc8c7e41f96de5650bba91e80

    SHA512

    189eb39f1b89a0768e5ad524289688a8bcddb7be1d84cdb9cf7eae9ea01a40a69207bbbd14d71a5bed0c38726726cc7ff4fb3ebe0e751817ac21f8bdce4c072e

    Download Submit

  • /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json
    Filesize

    238KB

    MD5

    27fba65ca18b132e52e55df1dc2d710a

    SHA1

    45e418b090bbaa73751145cd003ec18d91d68a10

    SHA256

    72147d67aefb8b20893ff3f22f75d449a29b56d67d0a4fdda255187f6a5885a7

    SHA512

    1f50c7bc719dbccb6ef74a5a56c02681e222b8ecd88347e2dad57d675a8c8c624e6cc7f62699d2b7362e9b57ff24c994a5c5699c4190f910555568916b0249f2

    Download Submit

  • /data/user/0/com.timber.funny/app_DynamicOptDex/oQXZESo.json
    Filesize

    483KB

    MD5

    09485d0ae12ab18d75eb0ca54efbf49c

    SHA1

    f2daa5007a2479ee78c74e8f9eb013b946b9962d

    SHA256

    bc51d9fc51b0045e126dbb438b481b6808218cde64ec3fb51d3267d3212f79c4

    SHA512

    8d94715a8c019914628e911658ce1f17df8924c76d3e963004891040953c8c51d514cc89f9029a00119b0a06e7cb38830e5287096426e0399095c49622398be4

    Download Submit

  • /data/user/0/com.timber.funny/app_DynamicOptDex/oat/oQXZESo.json.cur.prof
    Filesize

    321B

    MD5

    7fde96c9772aace89d2bb8ad8cc3b59e

    SHA1

    08798be64837b04adee0e44c53cc3f08d2d16233

    SHA256

    9e0ba08ec5fd2f343f4d7e4905c7ad4ad7d92fe4daeef4c49f8e676d259ee6ce

    SHA512

    514acf8e5893c181b42532d484f732bdfdc1a8cd9fe1ffc5397a4525edabf803d4c0654d7096f4c6fa714b9bf82244f8c74f067601aad01f36027ca18503596b

    Download Submit