Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    29/12/2024, 22:04 UTC

General

  • Target

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk

  • Size

    3.3MB

  • MD5

    17d30a33fa35e9b55703fa28f8f06f08

  • SHA1

    8688c2ecac687246f44794effb6eca7db2ce4929

  • SHA256

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2

  • SHA512

    102b6ffd2a8bb1a7e7be5565991e480446b9aeabd281f5307162184497ecea2820aa9e56b30d1239bda8b58a35bd66063d388f9aaa9feb72a7c0d7dba310140f

  • SSDEEP

    49152:bsK9pjCIQMivuDiiYq8URysYC1XHsPOhCRPjdxHFmYwWyrHwUwdU5n3R07qhabRo:wKKIQ5V7k8Yi5xEYVeL3T4xYe7ZY

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain
1
icpdzzyawbiz

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

  • Alienbot family
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

  • Cerberus family
  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • future.clutch.chuckle
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4230
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/x86/KTLn.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4256

Network

  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    104.21.59.19:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Sun, 29 Dec 2024 22:04:14 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1735509854&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=nDx6q0EIUtPO%2FEpjJ3TiHl0xpMSXaZ3gWW1HwX93Wu0%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 998
    X-Ratelimit-Reset: 1735509904
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8f9d15ab9e319521-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28238&min_rtt=27336&rtt_var=8649&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3298&recv_bytes=586&delivery_rate=131253&cwnd=253&unsent_bytes=0&cid=b35981db96fab86a&ts=331&x=0"
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • 104.21.59.19:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.0kB
    5.3kB
    8
    10

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 34.89.218.199:80
    240 B
    4
  • 34.89.218.199:80
    240 B
    4
  • 142.250.200.46:443
    tls, https
    4.3kB
    40 B
    5
    1
  • 142.250.200.46:443
    tls, https
    1.7kB
    40 B
    2
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    2.6kB
    40 B
    3
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    2.3kB
    7.3kB
    14
    12
  • 34.89.218.199:80
    240 B
    4
  • 34.89.218.199:80
    240 B
    4
  • 34.89.218.199:80
    240 B
    4
  • 34.89.218.199:80
    240 B
    4
  • 142.250.187.227:80
    364 B
    7
  • 142.250.179.228:443
    tls
    135 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.9kB
    13
  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
    106 B
    1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    104.21.59.19
    172.67.167.151

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json

    Filesize

    728KB

    MD5

    3f8d8f0665728b1946e652755c553082

    SHA1

    5724cf24f1e9acb2e2f6a96e0576f1323f4d6513

    SHA256

    3bd93e56b87b1d8a8d3baf270352b54d4c9395a87d64896e2554f833b02b39b8

    SHA512

    903c842950e5bdec462a7608b904356539563cfbf36909a9fd1220ab82d837aa90fc4f1b273032e60aaa04a2f980465e551416da9c7167787339bd04723292e0

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/KTLn.json

    Filesize

    728KB

    MD5

    426fd69969638fbbfb9999ca069c9831

    SHA1

    e69c7a06c831f98b822b3edb15ebe16710eee5b7

    SHA256

    4c9e3edf2ab8d9eb1b5383c81f00aa1a93ab834f0c530f1f0a811677e055a185

    SHA512

    6cdf602b59dc4df015c558853320828e5ac861eefd55c9715a043b28336186c48114c74d4e262420c92f20e4a13aadb454205017477a6e1327c448827babb9e8

  • /data/data/future.clutch.chuckle/app_DynamicOptDex/oat/KTLn.json.cur.prof

    Filesize

    499B

    MD5

    2d69b303f1591f0d532d7b0f8c3c82dc

    SHA1

    532a1a50e9aecac978d73a19591c104aabf98c96

    SHA256

    0c54299a9764ab4d6e768b7953c3aafaa58a207830f447362e28d611db8abc12

    SHA512

    eb4385246e5163305683c0551e575bbae578a260a1349239fb873d1a856c7a2c1f81df510cafca2c89e7b0786681a42ccfff24966b2b0b97a3351281fc97e36a

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json

    Filesize

    728KB

    MD5

    8ef0efe11578f3495efa8bb95ed49e52

    SHA1

    ac6fe9df41b8542058e366dd15526e210633dae4

    SHA256

    2303b35989b9d4ed8dc19179ced33a6e54c54295beabd97fe9c5b783657997ca

    SHA512

    802660c78fb03544a465e937f9e5506ff0ec08cddc7849b71cde1e5880138033b170d90975ae0fc80dfd14ca416585d79782ae1f78774062f552b2e7ab1afcd0

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.