xenomorph | 9cafebdd395400758440f021b0241d27627f946fa00f9ca0f5fee519c606116c

General

Target

9cafebdd395400758440f021b0241d27627f946fa00f9ca0f5fee519c606116c.apk
Size

2.4MB
MD5

9bd879ae461870a875caa63a27e3313c
SHA1

a2ee09854f145fc08163d3bd61d1782231be1a8b
SHA256

9cafebdd395400758440f021b0241d27627f946fa00f9ca0f5fee519c606116c
SHA512

c36f7e496bc0e947687ce63beaf5559e5081537d7492600d79a731659438d8eba9a38bb632d22827878da33972e9fccc6674ffe6b3c019f983dd807104919188
SSDEEP

49152:cUqJsv4Kje2NPgQ91l4d4kzVLmrylbQlDaf5rMyAKGEjs:LqJsv4v2591kfVLmK6OfeKGEjs

Score

10^/10

xenomorph banker collection credential_access discovery evasion impact infostealer trojan

Malware Config

Extracted

Family

xenomorph

C2

simpleyo5.tk

simpleyo5.cf

kart12sec.ga

kart12sec.gq

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph
Xenomorph family
xenomorph

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json	4515	com.spike.old

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.spike.old
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.spike.old

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.spike.old

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.spike.old

Reads the content of outgoing SMS messages. 1 TTPs 2 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/sent	com.spike.old
URI accessed for read	content://sms/draft	com.spike.old

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.spike.old

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.spike.old

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.spike.old

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.spike.old

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.spike.old

com.spike.old
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of SMS inbox messages.
- Reads the content of outgoing SMS messages.
- Acquires the wake lock
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4515

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

2

T1636

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
2690b5434d844fcaa4527744faff8700

SHA1
2ec4338390f8bf65c7340257a149da66cb792593

SHA256
7cbcebcccb83e5dccd98a5ffef0aa16201e30f684cfa743bd91d459e5a1286e2

SHA512
87cc00acf8271f454dc756dd6247a207d793a4bb3e593850efac906e976bfc023ba6a9b27d2ca3f9a3d6a22ed94e8ca20db7bd4cf24180f73f2f6e075c032b86

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
889aae346b72fa3bf1293888074da26a

SHA1
0626aa9b6ef6a3e695c92221a21ee323ebcc97a1

SHA256
40c6b36a316b596fca2b84cd4d65d745bd15d1c90c1428050b3e71917c1ee360

SHA512
5c06b9dc60abe38688b8b600557b1ebacbe51955f85776d18a010451774b529212f67f20ee5b05137fec76cb5975c33768e9ccc2c936aebe94b45f95cb11f3e4

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/oat/hq.json.cur.prof

Filesize
2KB

MD5
6ec7724aefbc4e167d0d8f4d05b9ac69

SHA1
b96b03ccc73220db7673c1c3ec90bf56d088cd00

SHA256
e606b8094b6010e3344f7167045f05416bb688c33484a68c2e8c05327520e427

SHA512
95915dc347770810561d754a4eb93487f2084311bd1970990575957027c4447bb9102dde138345220ad4b35308c02201b62c84babd29ef05373d03790b646ad1

Download Submit
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json

Filesize
2.4MB

MD5
fde08886038bffc5923fa098cd55d0cd

SHA1
d6f8dbbdd2ded86081cb81e690f5402552ee5345

SHA256
dae52bbee7f709fae9d91e06229c35b46d4559677f26152d4327fc1601d181be

SHA512
93b05624b145e56e081e0771b1ec635df4cf6109087abc67dabe7055ef745003109047370fd42bab83424b7ee396fc6116419f4c255bbd1a794ec558fa7a9091

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads