Analysis
-
max time kernel
145s -
max time network
142s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
24-10-2024 14:01
General
-
Target
740cbd727edfa42ebd9ae6665c0a6c3b_JaffaCakes118.apk
-
Size
2.9MB
-
MD5
740cbd727edfa42ebd9ae6665c0a6c3b
-
SHA1
55636ff9abfb78fa206bc5794021d92f5bebc8e0
-
SHA256
061a13193d6f743c67c486a64fe50be243132df2fb414ce01b554bf87ba871c5
-
SHA512
500a38a9f00cca61d43b9a10cb9f6f06bfdc62f35124ab898b8a71456d8ce8d390f9db9c81075d189a8995f21812865822c0135675bcc601980ba9fbdc244547
-
SSDEEP
49152:bUlFuZFJK2yF69IJS300TEXKJAkSn4fITJYpHfVex4E4k4x//zC1HrR+n0FAYVpQ:bUGKr09z300IXsWWITepuD4kqzC1HLAt
Malware Config
Extracted
alienbot
http://193.70.91.231
Extracted
alienbot
http://193.70.91.231
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 8 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
host.meadow.inmate1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD54d07a028b11e74be051ef630999846ba
SHA1e07f2dae08c5501af368996fc8b33360c8579854
SHA256da1505a00b9c085efde3287ef08020103b7c28b64fa77db07eef0099d2339809
SHA512190821d8b3244965f835b04af1d115340648cc295675292fd5e4444889cc254e078c5be939d7a8efa9be92d16717127171f001322e8d2d6ab6f162655a1a3a56
-
Filesize
733KB
MD59e41d4c26bcb1f57f0769facdb640e87
SHA14ee36bface37742da0eb1eb0e21294a73289ca61
SHA256c8cc402727a34c4d37969aeae3e3abc0e9e51f487b0f1b552017e3e9b8958e41
SHA512e872a487b075edc1975e05c38567f6927b66808016a1b38a37614a32688bf68c498f9e157c11deb3eee6f3da848181036e394ae6f04ae256856de1a1003fd150
-
Filesize
353B
MD576bf03b7a75b17d7dc8ae2aef07be232
SHA13dadb168b54af77a3884ced3feecc53f42f4a525
SHA256ebeb8c5aeeec27744395c3d475d7f13374382b7f8e8f2bc605871f7b4b2f2cad
SHA512b2a263bb383e46d834e8c8b5510e6885d04cf525fdfe4c2dbf1756fe2f44065942ab445a978ddff302ebe09736543b13d2f5ebe775ef8b4af22f90ba4b2debc2