Overview

overview

10

Static

static

6

20bf0d3262...0b.apk

android-9-x86

10

20bf0d3262...0b.apk

android-10-x64

10

20bf0d3262...0b.apk

android-11-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14-01-2025 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20bf0d3262150730fdf6869243e6bdf19feda0c15d0d09b6611f57075fed6b0b.apk

  • Size

    1.4MB

  • MD5

    a215f520a027c6d8896862e28fb4bcb8

  • SHA1

    827df4030fe8ca6aebb038727c4348a50cc9566f

  • SHA256

    20bf0d3262150730fdf6869243e6bdf19feda0c15d0d09b6611f57075fed6b0b

  • SHA512

    b5aabcd5280c7ce13d3155d8661cc871cce06ffbaa4c1920f9043f385f762553b3347225f3ec78dd196c62794a1268558f3fd101393d14547b1256d8805b33a0

  • SSDEEP

    24576:HsZs6jT0x4AytNk8RmYjX/Tq6v9yJuRrtTt+1O5lXi2Si/dgRtLKeN+0:Hsq6jTC4AytV8YjvTtv9yJuRp5+1OXih

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

https://hosgeldin2023.com

rc4.plain

Extracted

Family

alienbot

C2

https://hosgeldin2023.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.later.gaze
    1⤵
    • Removes its main activity from the application launcher
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4340
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.later.gaze/app_DynamicOptDex/hTmUMU.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.later.gaze/app_DynamicOptDex/oat/x86/hTmUMU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4365

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

3
T1633

System Checks

3
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    238KB

    MD5

    9d24bf25aa3efb28357a2fbc95d1fd59

    SHA1

    5844fc73e8db6223ba78db30fe57da80eed37f8e

    SHA256

    e54e0e3302239e1af4978940ffc33f8f2d295b55efca756de48bd5d7168de7b1

    SHA512

    ab81a44b7481987515d56ffecd888c35236fb5addd7f2ed14619cd03538d220275a4beca34f836f41eaa2f678f254e2fa32ed70879fbd11704466342c6c1f0a7

    Download Submit

  • /data/data/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    238KB

    MD5

    aa6b07098357450e722fb755133d7147

    SHA1

    14eabec23fc941fc77365e5f452f58e0791ba45c

    SHA256

    4147b6a93680470d8686159af6fcc920b57117a324b838e47a28a1896e3f3729

    SHA512

    6b78655cf806201dba55a695bf3745231ab0d30869b138ca7b9e43b45686c80512800b15d0bfab16876143c65450018dd5b9b42e505bb9fee4d6cf1414477190

    Download Submit

  • /data/data/com.later.gaze/app_DynamicOptDex/oat/hTmUMU.json.cur.prof
    Filesize

    490B

    MD5

    878820c47e2d16695fc01ff9de32470f

    SHA1

    9bef525f7ccf38256be4375832f59f67ab6daa0b

    SHA256

    a8390fc0e4585f68c7a43fb5922c4ad9a699f3ae762e03895b332208ec5b6d67

    SHA512

    aa810a97e12c042d2a2485a122978b3bfb38cb24842a9b579ef7e9e8d0895984a490e65f39371e0e2ef6aef2bff50171d96582139c7135820d58daed0d01b3cd

    Download Submit

  • /data/user/0/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    483KB

    MD5

    7bc904ee99310cbca8217f5aed950510

    SHA1

    4b203a9ed0c0f96eafbf8befa8ed10cc11689615

    SHA256

    d2027c54b9cddd6f5f20df3a513f032d17a6475bb826bd36f0c30953d0649efb

    SHA512

    8302e556001917414d43391cdc23e37571aba5a5c96728dc3a3e58af997165efb4065ad20eec4344b0cabad1d4f8d73bb9c85ed383f65ffae537b00ab8834bae

    Download Submit

  • /data/user/0/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    483KB

    MD5

    310d174a08f6df51307a6a2a05a1321c

    SHA1

    e262caf64a460d4e5e46a9eb09e5f26d70ec8162

    SHA256

    e5377f5bfda35377b2ceb723539f4b1e78f0765cfd6f06cdedb54b770ab54ed7

    SHA512

    4b5044e26aa75a4757ee17958fce14d09e9437a0cc9cbda920e15f23a3d61c4b0f0fe84386792fbfb77a8c6940866d80c0a4ff55952c62f2d076a5cdf3dacee1

    Download Submit