Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
29/12/2024, 22:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk
-
Size
3.3MB
-
MD5
17d30a33fa35e9b55703fa28f8f06f08
-
SHA1
8688c2ecac687246f44794effb6eca7db2ce4929
-
SHA256
0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2
-
SHA512
102b6ffd2a8bb1a7e7be5565991e480446b9aeabd281f5307162184497ecea2820aa9e56b30d1239bda8b58a35bd66063d388f9aaa9feb72a7c0d7dba310140f
-
SSDEEP
49152:bsK9pjCIQMivuDiiYq8URysYC1XHsPOhCRPjdxHFmYwWyrHwUwdU5n3R07qhabRo:wKKIQ5V7k8Yi5xEYVeL3T4xYe7ZY
Malware Config
Extracted
alienbot
http://34.89.218.199
Extracted
alienbot
http://34.89.218.199
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus family
-
Cerberus payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_cerberus behavioral1/memory/4230-1.dex family_cerberus -
pid Process 4230 future.clutch.chuckle -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json 4230 future.clutch.chuckle /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json 4256 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/x86/KTLn.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json 4230 future.clutch.chuckle -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId future.clutch.chuckle Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId future.clutch.chuckle -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser future.clutch.chuckle -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock future.clutch.chuckle -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground future.clutch.chuckle -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction future.clutch.chuckle android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction future.clutch.chuckle -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone future.clutch.chuckle -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS future.clutch.chuckle -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver future.clutch.chuckle -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule future.clutch.chuckle -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo future.clutch.chuckle -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo future.clutch.chuckle
Processes
-
future.clutch.chuckle1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4230 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/x86/KTLn.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4256
-
Network
-
Remote address:1.1.1.1:53Requestjsonplaceholder.typicode.comIN AResponsejsonplaceholder.typicode.comIN A104.21.59.19jsonplaceholder.typicode.comIN A172.67.167.151
-
Remote address:104.21.59.19:443RequestPOST /posts HTTP/1.1
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: jsonplaceholder.typicode.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8
Content-Length: 40
Connection: keep-alive
Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D"}]}
Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
X-Powered-By: Express
X-Ratelimit-Limit: 1000
X-Ratelimit-Remaining: 998
X-Ratelimit-Reset: 1735509904
Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
Access-Control-Allow-Credentials: true
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Access-Control-Expose-Headers: Location
Location: https://jsonplaceholder.typicode.com/posts/101
X-Content-Type-Options: nosniff
Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
Via: 1.1 vegur
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 8f9d15ab9e319521-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28238&min_rtt=27336&rtt_var=8649&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3298&recv_bytes=586&delivery_rate=131253&cwnd=253&unsent_bytes=0&cid=b35981db96fab86a&ts=331&x=0"
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.178.14
-
1.0kB 5.3kB 8 10
HTTP Request
POST https://jsonplaceholder.typicode.com/postsHTTP Response
201 -
240 B 4
-
240 B 4
-
4.3kB 40 B 5 1
-
1.7kB 40 B 2 1
-
858 B 40 B 1 1
-
2.6kB 40 B 3 1
-
2.3kB 7.3kB 14 12
-
240 B 4
-
240 B 4
-
240 B 4
-
240 B 4
-
364 B 7
-
135 B 40 B 2 1
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728KB
MD53f8d8f0665728b1946e652755c553082
SHA15724cf24f1e9acb2e2f6a96e0576f1323f4d6513
SHA2563bd93e56b87b1d8a8d3baf270352b54d4c9395a87d64896e2554f833b02b39b8
SHA512903c842950e5bdec462a7608b904356539563cfbf36909a9fd1220ab82d837aa90fc4f1b273032e60aaa04a2f980465e551416da9c7167787339bd04723292e0
-
Filesize
728KB
MD5426fd69969638fbbfb9999ca069c9831
SHA1e69c7a06c831f98b822b3edb15ebe16710eee5b7
SHA2564c9e3edf2ab8d9eb1b5383c81f00aa1a93ab834f0c530f1f0a811677e055a185
SHA5126cdf602b59dc4df015c558853320828e5ac861eefd55c9715a043b28336186c48114c74d4e262420c92f20e4a13aadb454205017477a6e1327c448827babb9e8
-
Filesize
499B
MD52d69b303f1591f0d532d7b0f8c3c82dc
SHA1532a1a50e9aecac978d73a19591c104aabf98c96
SHA2560c54299a9764ab4d6e768b7953c3aafaa58a207830f447362e28d611db8abc12
SHA512eb4385246e5163305683c0551e575bbae578a260a1349239fb873d1a856c7a2c1f81df510cafca2c89e7b0786681a42ccfff24966b2b0b97a3351281fc97e36a
-
Filesize
728KB
MD58ef0efe11578f3495efa8bb95ed49e52
SHA1ac6fe9df41b8542058e366dd15526e210633dae4
SHA2562303b35989b9d4ed8dc19179ced33a6e54c54295beabd97fe9c5b783657997ca
SHA512802660c78fb03544a465e937f9e5506ff0ec08cddc7849b71cde1e5880138033b170d90975ae0fc80dfd14ca416585d79782ae1f78774062f552b2e7ab1afcd0