Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
12/12/2024, 22:00 UTC
Behavioral task
behavioral1
Sample
629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05.apk
-
Size
591KB
-
MD5
85d4cd1aa3b96c12cfca866a60a18369
-
SHA1
e342a09ac9498758bf5f2780672ab389057a1554
-
SHA256
629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05
-
SHA512
71ebe6533a6e472333dcd69a7236cdecc69cb8d1bc14979adec1534c9480cdc352ec935204230d42bcd5ec9af45350d4aa66ea374c2461e101dfa19d36e2d5df
-
SSDEEP
12288:vOUWc4yiz0563G+r0Lusi1BK3+jDG+r0BRnYOAHOA9V7tkw3SDxrlW+js:vmcFq3FwEkOjDFwfYOyD9f3SDBTjs
Malware Config
Extracted
alienbot
http://alcaroot.net
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus family
-
pid Process 4663 com.mhiauaqmlacl.ypmsfwbkjhsbeoz 4663 com.mhiauaqmlacl.ypmsfwbkjhsbeoz 4663 com.mhiauaqmlacl.ypmsfwbkjhsbeoz 4663 com.mhiauaqmlacl.ypmsfwbkjhsbeoz 4663 com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.mhiauaqmlacl.ypmsfwbkjhsbeoz Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mhiauaqmlacl.ypmsfwbkjhsbeoz android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.mhiauaqmlacl.ypmsfwbkjhsbeoz -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.mhiauaqmlacl.ypmsfwbkjhsbeoz
Processes
-
com.mhiauaqmlacl.ypmsfwbkjhsbeoz1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4663
Network
-
Remote address:1.1.1.1:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A172.217.169.14youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A216.58.213.14youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A216.58.212.238youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A216.58.201.110
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.178.14
-
Remote address:1.1.1.1:53Requestjsonplaceholder.typicode.comIN AResponsejsonplaceholder.typicode.comIN A172.67.167.151jsonplaceholder.typicode.comIN A104.21.59.19
-
Remote address:172.67.167.151:443RequestPOST /posts HTTP/1.1
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: jsonplaceholder.typicode.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8
Content-Length: 40
Connection: keep-alive
Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1734040824&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=AgofgO4DyQABYkrswUt75rUpElRRT7SSZiX%2FAUfTyAo%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1734040824&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=AgofgO4DyQABYkrswUt75rUpElRRT7SSZiX%2FAUfTyAo%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
X-Powered-By: Express
X-Ratelimit-Limit: 1000
X-Ratelimit-Remaining: 999
X-Ratelimit-Reset: 1734040857
Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
Access-Control-Allow-Credentials: true
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Access-Control-Expose-Headers: Location
Location: https://jsonplaceholder.typicode.com/posts/101
X-Content-Type-Options: nosniff
Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
Via: 1.1 vegur
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8f10fcafb94fede6-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26493&min_rtt=26440&rtt_var=5660&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3115&recv_bytes=874&delivery_rate=151549&cwnd=252&unsent_bytes=0&cid=12f9fdbc3c96f889&ts=358&x=0"
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.187.200
-
Remote address:1.1.1.1:53Requestalcaroot.netIN AResponse
-
2.1kB 8.3kB 18 14
-
1.4kB 40 B 1 1
-
3.7kB 6.9kB 16 15
-
2.7kB 6.2kB 13 11
-
1.5kB 5.6kB 11 10
HTTP Request
POST https://jsonplaceholder.typicode.com/postsHTTP Response
201 -
1.3kB 6.3kB 9 9
-
128 B 40 B 2 1
-
135 B 40 B 2 1
-
135 B 40 B 2 1
-
135 B 40 B 2 1
-
128 B 40 B 2 1
-
128 B 40 B 2 1
-
3.7kB 11
-
61 B 335 B 1 1
DNS Request
www.youtube.com
DNS Response
142.250.180.14172.217.169.14142.250.187.206172.217.169.46172.217.169.78216.58.213.14172.217.16.238142.250.187.238216.58.204.78142.250.179.238216.58.212.238142.250.200.46142.250.200.14142.250.178.14216.58.201.110
-
1.4kB 54 B 1 1
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.178.14
-
74 B 106 B 1 1
DNS Request
jsonplaceholder.typicode.com
DNS Response
172.67.167.151104.21.59.19
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.187.200
-
58 B 131 B 1 1
DNS Request
alcaroot.net
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1