Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
04/12/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.apk
-
Size
3.4MB
-
MD5
66fd97bf9913de7f9d7f57bc94dbfe79
-
SHA1
fa57844951fc91de94b12a984b68a1e336e44394
-
SHA256
0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73
-
SHA512
631e3dd756b818dd753658288d93903d2cfe9686f3e5eafe12913f0daa893d4dc2cb8e8499638b270274019ba42950aac4c21cf93828803b1f74553dc75a5548
-
SSDEEP
98304:GAOarn/diY/W9ovGZDLBIEga6dQpcYwAWfFCUet+Ff96rkvubokjz:GAOarcY/W2vGZvBI2SdPfFZFlbvuTz
Malware Config
Extracted
alienbot
http://servicesc.xyz
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus family
-
Cerberus payload 1 IoCs
resource yara_rule behavioral2/files/fstream-2.dat family_cerberus -
pid Process 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr /data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json 5096 msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Processes
-
msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5096
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5a974446e49181fbf30c4614737abc596
SHA142a9e894f2652854067d90ddaa3adafee7967dc7
SHA2563687b59d4b8a3ecaa164f5f04301303ce0192fdc2c296df20b3dc209cc3d2776
SHA512dfa34829c2271969d7ae9a9ea67371abac312fc0db6518b43b2ff69dc8aa3c1532f2f0d3e51c130699301be6c28b363a4f1f11f040d3f1e27ed1ef194d11e060
-
Filesize
723KB
MD5076e71f327de667a8c616f0ad4dae1ba
SHA1171b0aaab6aa53e564c5328ee1af5fb416327399
SHA25683c6d3e8bef45f67a9dcdc5f648cea621fb08d45da0421fbb383b14187cc1042
SHA5120f2ddab6850803912b2c05fb960e8d8e5c2effc047321e28e54bef6194750be8625c0670fbd48c83ca03e901cb35a0bb200d19b199a64206ee7383d09613ff0a
-
Filesize
382B
MD50684c2b92ec9f3b3bbb6e8d249cc0968
SHA14db21b52e6aca05113cf871dba93392bfd19d2ab
SHA2561669a85385fce88f5f27c39ef9df853119f13b8e31b10dfbacd33cedf185de58
SHA512dd7c5b46dc812d2eda0e16dde8721a769b620aaa6e89d7f67ada32b2ce7cf34f3ceae83d36631d18768317764ce7a824c0988968b992813898eab388aa2ba331