Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
10-01-2025 22:08
Static task
static1
Behavioral task
behavioral1
Sample
0086bace2a2b6d9d922c97e9cd75f300f3e02ffe7f36007108bf0a2f1f39189f.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
0086bace2a2b6d9d922c97e9cd75f300f3e02ffe7f36007108bf0a2f1f39189f.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
0086bace2a2b6d9d922c97e9cd75f300f3e02ffe7f36007108bf0a2f1f39189f.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
0086bace2a2b6d9d922c97e9cd75f300f3e02ffe7f36007108bf0a2f1f39189f.apk
-
Size
1.5MB
-
MD5
a76f6f92ed559e1803cf03742b377968
-
SHA1
7b4d2ab29a2d7a6acc8fc47856da4ed6b01f3b57
-
SHA256
0086bace2a2b6d9d922c97e9cd75f300f3e02ffe7f36007108bf0a2f1f39189f
-
SHA512
fa61811fa73f2592f4224c52694b2cade979eeafe3568df4e19ad1383498bcce12946110d83a09a16645d370d58805caee4f3a3c2aaf844144cd8ec4dabafb37
-
SSDEEP
24576:MSKFrKoWvygWDh7TrO1N/drdBIjNIf97VcdSLj+mv4nrBb8:MBGdg9uL/dk07idSLj+7Bb8
Malware Config
Extracted
alienbot
http://45.12.253.155
Extracted
alienbot
http://45.12.253.155
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus family
-
Cerberus payload 1 IoCs
resource yara_rule behavioral3/memory/4866-0.dex family_cerberus -
pid Process 4866 com.field.garment 4866 com.field.garment 4866 com.field.garment 4866 com.field.garment 4866 com.field.garment 4866 com.field.garment 4866 com.field.garment -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.field.garment/app_DynamicOptDex/mJAI.json 4866 com.field.garment -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.field.garment Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.field.garment -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.field.garment -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.field.garment -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.field.garment -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.field.garment android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.field.garment -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.field.garment -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.field.garment
Processes
-
com.field.garment1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4866
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD5015fe6d750580d6796ef6728239c2d77
SHA1734d6dd2a2cdee31d6a6b311800a1861196f6e30
SHA2566fb25641c1d67c6343f00d510f61c897494f5ad3482ece1a39cd9a80ec7faeee
SHA51217e41259a7f8ade39040406f02005ce8385bc42769a4bd3c03dfbd167cd48776ce0a0f636596fe47c88562ef7e41873575ca3b34281b53e58133ef5940b021f0
-
Filesize
238KB
MD595d4ccf5a95e9c8173382f4aba3335bf
SHA145216107337949913f682dc5c0c8fe9c78f21067
SHA2569dac189da26808be6fbeb61a6a08121ba84d41ce456064975bdc9c1ae924d8de
SHA512fe025aced9aa496e1e9519d36bc920a2c5ddcceb8b021e98e6550b2931ec97df5dca3d5f02b251152d74a30c63a21e060cb105ee8ddc638939ae8e93cf45f97a
-
Filesize
483KB
MD5663445c897669ee3a1230e4a583a5818
SHA1afc2d9c6933fddfbc26581e9d9a55c483e4630f2
SHA256056e476cb5708ecad8443ae414b346ab2ff0f99fa5052eed1cdffc3c0b84c865
SHA51277c08af30c99747c355be56f37173dc59253e5a7c23ac9d90c1c7ceee9cabace7caf6b3cf4b645168e9fbe2ec8a1351577693b9c383af5591b7b54f52b0162f4