Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
154s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/12/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58.apk
-
Size
3.4MB
-
MD5
92f5b5deacc307f5dbeddaa10829660a
-
SHA1
4de9eb452a882a0be46cda98029716dca910b3f3
-
SHA256
ac96473138cc210721102777a2b766f023cb31dfd24a96292149145f5c4f2c58
-
SHA512
168fcaeeed3c5944687f95176753b2098b1b480e7f65506ea3053bdb2098e14023622e3667602c0d8b110db51e6f38d048a8890fea29f31a687a98eb7bd20857
-
SSDEEP
98304:SCw10bcOm3tdvG9TOmsvyCGqZYf97B7lpQpYpuXt/D/rB30Up:SwbcOWnvG9TOYwG97B7eYcxD/rBNp
Malware Config
Extracted
cerberus
Extracted
alienbot
http://217.8.117.104
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus family
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/memory/4239-0.dex family_cerberus behavioral1/memory/4215-0.dex family_cerberus -
pid Process 4215 com.ucuadqxoj -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ucuadqxoj/cache/payload.jar 4239 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ucuadqxoj/cache/payload.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ucuadqxoj/cache/oat/x86/payload.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ucuadqxoj/cache/payload.jar 4215 com.ucuadqxoj -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ucuadqxoj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ucuadqxoj -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.ucuadqxoj -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ucuadqxoj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ucuadqxoj -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ucuadqxoj -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.ucuadqxoj -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ucuadqxoj -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.ucuadqxoj -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ucuadqxoj -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ucuadqxoj
Processes
-
com.ucuadqxoj1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4215 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ucuadqxoj/cache/payload.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ucuadqxoj/cache/oat/x86/payload.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4239
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD598c3a619c1341b5acade78088130be45
SHA1a5b3044190dbb491aecd5ce5b8d57e4afceb6075
SHA256d1b9a9be007fed79f9fb697b7f447dcac5c1e3699b55120903fd266faf07db80
SHA51245d9ca3721e70f9c99270634618907e2ec620f9a232507b9c231d9adda100c42fbdf2fa60a5ba99065888df870527afdae86f8b747774ff46d233efb83094bdd
-
Filesize
269KB
MD52c71af739b725732bc7409da870f1b01
SHA165122134f0af886a0cba79388494fa69fb89015b
SHA256db9f83468daf09f671b75412b0f380c044000677e1c096ef9514e33e8c1c238d
SHA512f25cfd7aa47994715d0b6efa23882b4c89c87b5ff4bb2ac566d139b6b6e8ddbbefc57a8a1dbc802061a404d965fd1977f83fbaddd5cc87a5dd811e743c46a3df
-
Filesize
512KB
MD5a80b292df3ef1721270c3064a667bedb
SHA1aefb39bf99ef3b1d119057b83e21c787b53ad41c
SHA2564e850ae53a02f6c01ded3ac7b18bc015bfc8942134b1be91ddbe132e5f2dd745
SHA5129f0925c2fd0ce2be03312a06faaa8b9c03379e7f7c0d98cecb9e0e805ac03f836ab544ef4d4abfb3161a32b0f750b584c4f31cf7b962f56f61b3bb9d7a6e3c95
-
Filesize
512KB
MD5e509eeb11454e83ef776251a753488c4
SHA176b5813d03e27a8f8746ee9694774dfd7768aa4e
SHA256f1e98d8910917f15db1c5780fdd082ce27a7ecce40f363ecd07d0f8091332b77
SHA512b9e4d4972f717f155e92f1431c61c3d4b627ed996470d158a5ea1b6ebe23f84a3a44da73c53f70ae13f255e1263f1741628976c5e877727f25556d95dc58c7d1