Overview

overview

10

Static

static

6

0bd7b57f21...f2.apk

android-9-x86

10

0bd7b57f21...f2.apk

android-10-x64

10

0bd7b57f21...f2.apk

android-11-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    29-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk

  • Size

    3.3MB

  • MD5

    17d30a33fa35e9b55703fa28f8f06f08

  • SHA1

    8688c2ecac687246f44794effb6eca7db2ce4929

  • SHA256

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2

  • SHA512

    102b6ffd2a8bb1a7e7be5565991e480446b9aeabd281f5307162184497ecea2820aa9e56b30d1239bda8b58a35bd66063d388f9aaa9feb72a7c0d7dba310140f

  • SSDEEP

    49152:bsK9pjCIQMivuDiiYq8URysYC1XHsPOhCRPjdxHFmYwWyrHwUwdU5n3R07qhabRo:wKKIQ5V7k8Yi5xEYVeL3T4xYe7ZY

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • future.clutch.chuckle
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4230
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/x86/KTLn.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4256

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    3f8d8f0665728b1946e652755c553082

    SHA1

    5724cf24f1e9acb2e2f6a96e0576f1323f4d6513

    SHA256

    3bd93e56b87b1d8a8d3baf270352b54d4c9395a87d64896e2554f833b02b39b8

    SHA512

    903c842950e5bdec462a7608b904356539563cfbf36909a9fd1220ab82d837aa90fc4f1b273032e60aaa04a2f980465e551416da9c7167787339bd04723292e0

    Download Submit

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    426fd69969638fbbfb9999ca069c9831

    SHA1

    e69c7a06c831f98b822b3edb15ebe16710eee5b7

    SHA256

    4c9e3edf2ab8d9eb1b5383c81f00aa1a93ab834f0c530f1f0a811677e055a185

    SHA512

    6cdf602b59dc4df015c558853320828e5ac861eefd55c9715a043b28336186c48114c74d4e262420c92f20e4a13aadb454205017477a6e1327c448827babb9e8

    Download Submit

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/oat/KTLn.json.cur.prof
    Filesize

    499B

    MD5

    2d69b303f1591f0d532d7b0f8c3c82dc

    SHA1

    532a1a50e9aecac978d73a19591c104aabf98c96

    SHA256

    0c54299a9764ab4d6e768b7953c3aafaa58a207830f447362e28d611db8abc12

    SHA512

    eb4385246e5163305683c0551e575bbae578a260a1349239fb873d1a856c7a2c1f81df510cafca2c89e7b0786681a42ccfff24966b2b0b97a3351281fc97e36a

    Download Submit

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    8ef0efe11578f3495efa8bb95ed49e52

    SHA1

    ac6fe9df41b8542058e366dd15526e210633dae4

    SHA256

    2303b35989b9d4ed8dc19179ced33a6e54c54295beabd97fe9c5b783657997ca

    SHA512

    802660c78fb03544a465e937f9e5506ff0ec08cddc7849b71cde1e5880138033b170d90975ae0fc80dfd14ca416585d79782ae1f78774062f552b2e7ab1afcd0

    Download Submit