General

  • Target

    fbadda1aea91b50a5adc6b855b8bbfa4_JaffaCakes118

  • Size

    2.9MB

  • Sample

    241218-qgvgss1pdm

  • MD5

    fbadda1aea91b50a5adc6b855b8bbfa4

  • SHA1

    80df44dcf743100119e8acbd936a7651887061bd

  • SHA256

    d5686b96ed9847a7b5184b70ef9401c3295f50682ad12a9127eb87ec4b4d2feb

  • SHA512

    97a117024efcb7e076bce91950784a0ceacd8573a286d69164e21ba662e9957f429ad5121e68c4920b24649c6b326fce6327aa920cbd4c9e6041605ba4ecd7b8

  • SSDEEP

    49152:uPdQCR7d+XwoUcT740McyPqFaHUVP6nfl56PyqQSZYfFbdWpHZWsTMKNn7E3Mk:ctgXwodMNgjU956qqQSZYfFb6HRTM38k

Malware Config

Extracted

Family

alienbot

C2

http://194.163.136.78

rc4.plain

Extracted

Family

alienbot

C2

http://194.163.136.78

Targets

    • Target

      fbadda1aea91b50a5adc6b855b8bbfa4_JaffaCakes118

    • Size

      2.9MB

    • MD5

      fbadda1aea91b50a5adc6b855b8bbfa4

    • SHA1

      80df44dcf743100119e8acbd936a7651887061bd

    • SHA256

      d5686b96ed9847a7b5184b70ef9401c3295f50682ad12a9127eb87ec4b4d2feb

    • SHA512

      97a117024efcb7e076bce91950784a0ceacd8573a286d69164e21ba662e9957f429ad5121e68c4920b24649c6b326fce6327aa920cbd4c9e6041605ba4ecd7b8

    • SSDEEP

      49152:uPdQCR7d+XwoUcT740McyPqFaHUVP6nfl56PyqQSZYfFbdWpHZWsTMKNn7E3Mk:ctgXwodMNgjU956qqQSZYfFb6HRTM38k

    • Alienbot

      Alienbot is a fork of Cerberus banker first seen in January 2020.

    • Alienbot family

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Cerberus family

    • Cerberus payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks