Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

0bd7b57f21...f2.apk

android-9-x86

10

0bd7b57f21...f2.apk

android-10-x64

10

0bd7b57f21...f2.apk

android-11-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    29/12/2024, 22:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk

  • Size

    3.3MB

  • MD5

    17d30a33fa35e9b55703fa28f8f06f08

  • SHA1

    8688c2ecac687246f44794effb6eca7db2ce4929

  • SHA256

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2

  • SHA512

    102b6ffd2a8bb1a7e7be5565991e480446b9aeabd281f5307162184497ecea2820aa9e56b30d1239bda8b58a35bd66063d388f9aaa9feb72a7c0d7dba310140f

  • SSDEEP

    49152:bsK9pjCIQMivuDiiYq8URysYC1XHsPOhCRPjdxHFmYwWyrHwUwdU5n3R07qhabRo:wKKIQ5V7k8Yi5xEYVeL3T4xYe7ZY

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain
1
icpdzzyawbiz

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • future.clutch.chuckle
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4230
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/x86/KTLn.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4256

Network

  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    104.21.59.19:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Sun, 29 Dec 2024 22:04:14 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 998
    X-Ratelimit-Reset: 1735509904
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8f9d15ab9e319521-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28238&min_rtt=27336&rtt_var=8649&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3298&recv_bytes=586&delivery_rate=131253&cwnd=253&unsent_bytes=0&cid=b35981db96fab86a&ts=331&x=0"
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • 104.21.59.19:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.0kB
     5.3kB
     8
    10

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 34.89.218.199:80
    240 B
     4
  • 34.89.218.199:80
    240 B
     4
  • 142.250.200.46:443
    tls, https
    4.3kB
     40 B
     5
    1
  • 142.250.200.46:443
    tls, https
    1.7kB
     40 B
     2
    1
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.200.46:443
    tls, https
    2.6kB
     40 B
     3
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    2.3kB
     7.3kB
     14
    12
  • 34.89.218.199:80
    240 B
     4
  • 34.89.218.199:80
    240 B
     4
  • 34.89.218.199:80
    240 B
     4
  • 34.89.218.199:80
    240 B
     4
  • 142.250.187.227:80
    364 B
     7
  • 142.250.179.228:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.9kB
     13
  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
     106 B
     1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    104.21.59.19
    172.67.167.151

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    3f8d8f0665728b1946e652755c553082

    SHA1

    5724cf24f1e9acb2e2f6a96e0576f1323f4d6513

    SHA256

    3bd93e56b87b1d8a8d3baf270352b54d4c9395a87d64896e2554f833b02b39b8

    SHA512

    903c842950e5bdec462a7608b904356539563cfbf36909a9fd1220ab82d837aa90fc4f1b273032e60aaa04a2f980465e551416da9c7167787339bd04723292e0

    Download Submit

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    426fd69969638fbbfb9999ca069c9831

    SHA1

    e69c7a06c831f98b822b3edb15ebe16710eee5b7

    SHA256

    4c9e3edf2ab8d9eb1b5383c81f00aa1a93ab834f0c530f1f0a811677e055a185

    SHA512

    6cdf602b59dc4df015c558853320828e5ac861eefd55c9715a043b28336186c48114c74d4e262420c92f20e4a13aadb454205017477a6e1327c448827babb9e8

    Download Submit

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/oat/KTLn.json.cur.prof
    Filesize

    499B

    MD5

    2d69b303f1591f0d532d7b0f8c3c82dc

    SHA1

    532a1a50e9aecac978d73a19591c104aabf98c96

    SHA256

    0c54299a9764ab4d6e768b7953c3aafaa58a207830f447362e28d611db8abc12

    SHA512

    eb4385246e5163305683c0551e575bbae578a260a1349239fb873d1a856c7a2c1f81df510cafca2c89e7b0786681a42ccfff24966b2b0b97a3351281fc97e36a

    Download Submit

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    8ef0efe11578f3495efa8bb95ed49e52

    SHA1

    ac6fe9df41b8542058e366dd15526e210633dae4

    SHA256

    2303b35989b9d4ed8dc19179ced33a6e54c54295beabd97fe9c5b783657997ca

    SHA512

    802660c78fb03544a465e937f9e5506ff0ec08cddc7849b71cde1e5880138033b170d90975ae0fc80dfd14ca416585d79782ae1f78774062f552b2e7ab1afcd0

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.