Overview

overview

10

Static

static

6

757be08495...18.apk

android-9-x86

10

757be08495...18.apk

android-10-x64

10

757be08495...18.apk

android-11-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-10-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    757be08495745e8f90e97d33fa946aff_JaffaCakes118.apk

  • Size

    2.6MB

  • MD5

    757be08495745e8f90e97d33fa946aff

  • SHA1

    0a7af3d293c4bc9fa142e714f5be6f774aa0a112

  • SHA256

    f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6

  • SHA512

    a49c67ea1f2b92f0bd30c699567198033c5e0712474d77674cbed3127429dfe2b5a208b6b35141c91d3eb3360a970992929a28887d38ed90cfd06177af5694a2

  • SSDEEP

    49152:dDFzDxnFGJvAMs5oC/kW2njHqN1EdJue2NV3zBDb32XIFtPWs3Sn:JFzDxnU+5HylepBfGXNj

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://194.163.136.78

rc4.plain

Extracted

Family

alienbot

C2

http://194.163.136.78

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • video.typical.scrap
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4498

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json
    Filesize

    695KB

    MD5

    99ca162c256d1f74e74580a3110a05c3

    SHA1

    5626499829471270feac4413bfb807eb3a71bbce

    SHA256

    f2f00291c5dc5c33697dbaa02239985ab8d060687445f67c158ff62786793e4b

    SHA512

    c8791671cd895556c72fb7eb47001326c115133486191c38c8d97295f30f70d498ccaabe3b4f7270234bad4c434842b77ca715a04173408d56ab9b562cf113eb

    Download Submit

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json
    Filesize

    695KB

    MD5

    33f1dd56e54c4dcb29c2bcf0aa11bd86

    SHA1

    349040d578a550a758c8d6cae15f9a0e2d525f43

    SHA256

    d6ecf45bf1f6b71cc285cba4b477f891552ce3b1e2d75c3713e663164ae43729

    SHA512

    2a0a2e785a8c48eff88ec5b2106f8481c5ff10d13d15fb7bf381d8f1952cdc37c2c4e8af095ad018bdaf89da18f2d07e03073c5a4e1019626297431ad57fbbb4

    Download Submit

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/oat/jZ.json.cur.prof
    Filesize

    365B

    MD5

    67180d811aad0c6865307b2d58ebbd71

    SHA1

    2daf2e5e2d5f12d3c426cd39a80f8f5dedb5a036

    SHA256

    167ad8c9c1d3b1e6317bb430ab6c3f6de6a54a0260bb6063db219613204f4a7a

    SHA512

    84a03cad673482439e2723583911787c7107deb8a899d08cb165523dd923709424e9dce054442445f9ba29388bb805f826c8d33e472e849cf34503642238dcb9

    Download Submit