alienbot | 96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213

Analysis

max time kernel
143s
max time network
158s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
23-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e.apk
Size

1.1MB
MD5

53138b3f0f98b6433d28b5aef525f7b3
SHA1

01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
SHA256

31b0c269aebb2c98f47d73b0224f29a39ee0eac0b0f4989e741acf1e0606124d
SHA512

2a010c4013891417e9d6f4e8a32d8f20b71f2d5aaf401ea071ad8099270dd0aee29402c6c78862bf1e4ce1c341fa9cc1785fbafd43aee6975e8c052142f74a82
SSDEEP

24576:9rp4PsCmh+Tsn3m+wK536DCIMjyBugmhUpk3Ka1oob9jU4R7QHoHO2Edq:N6y+wn3mEGij6g5v1LNR7WZ2N

Score

10^/10

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://84.32.214.45

rc4.plain

Extracted

Family

alienbot

http://84.32.214.45

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Alienbot family
alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/4951-0.dex	family_cerberus

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword
4951	com.cable.sword

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json	4951	com.cable.sword

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cable.sword
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cable.sword

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.cable.sword

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cable.sword

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.cable.sword

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.sword
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cable.sword

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.cable.sword

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.cable.sword

com.cable.sword
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4951

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
238KB

MD5
242ff55710b86a773739a04e09fad3d9

SHA1
89036ad92697e41d41e457f892e7bf3bc0567fa3

SHA256
2c6b3ead0237ffa7fca6e26b88661e9bf2b3f672f7955ef9ec53f1d9f9bdfd46

SHA512
f9b2cb2cd7cf11ae6f01869570cb08241ebfcf33acd8581f8b3e5e4b5d84a08b50d8802581a4f11e09da6e68651cd8c492512fd7725cedf961c1a7951b3f4643

Download Submit
/data/data/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
238KB

MD5
77c71ae64968cf1f0089cfef960d0052

SHA1
bf192d2d6a9ae2c43f0b9d98bf7a167fbc9531cf

SHA256
9d1bd8a3f8147ffba0380fe5317b78555224abaa84c11279937bb6f8f3d80a10

SHA512
5a7f51cbb23af8cfc7c92e7430c644ea25faeee356a2ae391c0974a712e48059dc9c4eab2a80d9fbec93e5af09aaf447d79406edc38854d4b7fb0804652fc98f

Download Submit
/data/data/com.cable.sword/app_DynamicOptDex/oat/Pn.json.cur.prof

Filesize
391B

MD5
80294bbb4b4b4fb4455197e54e1798e9

SHA1
dcb43b53a0ce23962b5e21523038e573cfa13424

SHA256
2fb274c943c2597abd9cf31cfd20fd1b222eb5e34471007bc46bce1a7331f8ce

SHA512
a4435dcafa5ce07c974f0e64797319286b1fb20b3b5e785584882773b3c46e998bd48d835c3898b3a06d4e51b4272a898a0eb22af187d91706184387aff4ec84

Download Submit
/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
483KB

MD5
97ec800f656664eeb0cdda11478068b0

SHA1
02db30a789b44b816e8f356cda5b5602b9611da4

SHA256
1bdad53f20f3fe0e17204cac9c0478faf624ead18175d99276ebd333bfd7b0e8

SHA512
6a9a03071e4272e4ce5222f9b4827601eaddf154718c48f3d00323da7e55fbaf2a15f195732f1a19d48ea43260806150b71414b980d534ae7c7a914d8c30580d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads