Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

16/12/2024, 22:34 UTC

241216-2hjmgaskdz 10

12/12/2024, 22:00 UTC

241212-1wqr9synb1 10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    12/12/2024, 22:00 UTC

General

  • Target

    629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05.apk

  • Size

    591KB

  • MD5

    85d4cd1aa3b96c12cfca866a60a18369

  • SHA1

    e342a09ac9498758bf5f2780672ab389057a1554

  • SHA256

    629f9e70b58afec57d995fc86da4dfb3b3f57fd5202a08b0a26d4be625f40a05

  • SHA512

    71ebe6533a6e472333dcd69a7236cdecc69cb8d1bc14979adec1534c9480cdc352ec935204230d42bcd5ec9af45350d4aa66ea374c2461e101dfa19d36e2d5df

  • SSDEEP

    12288:vOUWc4yiz0563G+r0Lusi1BK3+jDG+r0BRnYOAHOA9V7tkw3SDxrlW+js:vmcFq3FwEkOjDFwfYOyD9f3SDBTjs

Malware Config

Extracted

Family

alienbot

C2

http://alcaroot.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Alienbot family
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus family
  • Removes its main activity from the application launcher 1 TTPs 5 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • com.mhiauaqmlacl.ypmsfwbkjhsbeoz
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4663

Network

  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    216.58.212.238
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    172.67.167.151:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Thu, 12 Dec 2024 22:00:24 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1734040824&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=AgofgO4DyQABYkrswUt75rUpElRRT7SSZiX%2FAUfTyAo%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1734040824&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=AgofgO4DyQABYkrswUt75rUpElRRT7SSZiX%2FAUfTyAo%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 999
    X-Ratelimit-Reset: 1734040857
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8f10fcafb94fede6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=26493&min_rtt=26440&rtt_var=5660&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3115&recv_bytes=874&delivery_rate=151549&cwnd=252&unsent_bytes=0&cid=12f9fdbc3c96f889&ts=358&x=0"
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.187.200
  • flag-us
    DNS
    alcaroot.net
    Remote address:
    1.1.1.1:53
    Request
    alcaroot.net
    IN A
    Response
  • 142.250.180.14:443
    www.youtube.com
    tls
    2.1kB
    8.3kB
    18
    14
  • 216.58.201.110:443
    www.youtube.com
    tls, https
    1.4kB
    40 B
    1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    3.7kB
    6.9kB
    16
    15
  • 142.250.178.14:443
    android.apis.google.com
    tls
    2.7kB
    6.2kB
    13
    11
  • 172.67.167.151:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.5kB
    5.6kB
    11
    10

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 142.250.187.200:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    9
    9
  • 216.239.36.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 142.250.187.206:443
    www.youtube.com
    tls
    135 B
    40 B
    2
    1
  • 142.250.187.193:443
    tls
    135 B
    40 B
    2
    1
  • 216.58.201.97:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.34.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 216.239.34.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    335 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    142.250.180.14
    172.217.169.14
    142.250.187.206
    172.217.169.46
    172.217.169.78
    216.58.213.14
    172.217.16.238
    142.250.187.238
    216.58.204.78
    142.250.179.238
    216.58.212.238
    142.250.200.46
    142.250.200.14
    142.250.178.14
    216.58.201.110

  • 142.250.180.14:443
    www.youtube.com
    https
    1.4kB
    54 B
    1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
    106 B
    1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    172.67.167.151
    104.21.59.19

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.187.200

  • 1.1.1.1:53
    alcaroot.net
    dns
    58 B
    131 B
    1
    1

    DNS Request

    alcaroot.net

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.