Overview

overview

10

Static

static

6

0bd7b57f21...f2.apk

android-9-x86

10

0bd7b57f21...f2.apk

android-10-x64

10

0bd7b57f21...f2.apk

android-11-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    29-12-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2.apk

  • Size

    3.3MB

  • MD5

    17d30a33fa35e9b55703fa28f8f06f08

  • SHA1

    8688c2ecac687246f44794effb6eca7db2ce4929

  • SHA256

    0bd7b57f21aa1d7df45d3537291c4513b882d60c3d5c2272c5a918d3c892a5f2

  • SHA512

    102b6ffd2a8bb1a7e7be5565991e480446b9aeabd281f5307162184497ecea2820aa9e56b30d1239bda8b58a35bd66063d388f9aaa9feb72a7c0d7dba310140f

  • SSDEEP

    49152:bsK9pjCIQMivuDiiYq8URysYC1XHsPOhCRPjdxHFmYwWyrHwUwdU5n3R07qhabRo:wKKIQ5V7k8Yi5xEYVeL3T4xYe7ZY

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • future.clutch.chuckle
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4719

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    3f8d8f0665728b1946e652755c553082

    SHA1

    5724cf24f1e9acb2e2f6a96e0576f1323f4d6513

    SHA256

    3bd93e56b87b1d8a8d3baf270352b54d4c9395a87d64896e2554f833b02b39b8

    SHA512

    903c842950e5bdec462a7608b904356539563cfbf36909a9fd1220ab82d837aa90fc4f1b273032e60aaa04a2f980465e551416da9c7167787339bd04723292e0

    Download Submit

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/KTLn.json
    Filesize

    728KB

    MD5

    426fd69969638fbbfb9999ca069c9831

    SHA1

    e69c7a06c831f98b822b3edb15ebe16710eee5b7

    SHA256

    4c9e3edf2ab8d9eb1b5383c81f00aa1a93ab834f0c530f1f0a811677e055a185

    SHA512

    6cdf602b59dc4df015c558853320828e5ac861eefd55c9715a043b28336186c48114c74d4e262420c92f20e4a13aadb454205017477a6e1327c448827babb9e8

    Download Submit

  • /data/user/0/future.clutch.chuckle/app_DynamicOptDex/oat/KTLn.json.cur.prof
    Filesize

    351B

    MD5

    920be24c04cd6dc27f21898a3ae08c17

    SHA1

    d35482b1764aa772bd4a8e3d02b559f9308b9031

    SHA256

    90b9b0131e7587dfd26f2b0b131fafd12873ef53685ad56814e50c558e8989a2

    SHA512

    2b9e2997598ecd34ce96febd1b743c530e45f52f882ee464fe48957355979bda90780f7877bc77cc19f70ea6b30ee80360d42e44804f39e54967ff522f1f53e5

    Download Submit