xenomorph | 8edbbc478df8f9d1566d8b940d191fc5e4a908fcc3fa1722f05d609c739d05fb

General

Target

8edbbc478df8f9d1566d8b940d191fc5e4a908fcc3fa1722f05d609c739d05fb.apk
Size

2.4MB
MD5

a702c2a39f4f773506fb77492ee85901
SHA1

3e8c864abcf4d9d443f9f9355d6ca11439424854
SHA256

8edbbc478df8f9d1566d8b940d191fc5e4a908fcc3fa1722f05d609c739d05fb
SHA512

ef215b0c8bdc3ae04981cefe28fabb34c783857346a67d369120e3aa38f6afe5a0df6e419d1a6e401f1afd2c9092100724646173beab3c9132b84a2681bc4c37
SSDEEP

49152:G5R6B8ocgwMdPFn2k637nA2aXRjgrylbQlDaf5rM9qEhEjpX:G5RJs3VFornA7RjgK6OfexhEjh

Score

10^/10

xenomorph banker collection credential_access defense_evasion discovery evasion impact infostealer trojan

Malware Config

Extracted

Family

xenomorph

C2

simpleyo5.tk

simpleyo5.cf

kart12sec.ga

kart12sec.gq

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph
Xenomorph family
xenomorph

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json	4602	com.spike.old

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.spike.old
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.spike.old

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.spike.old

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.spike.old

Reads the content of outgoing SMS messages. 1 TTPs 2 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/sent	com.spike.old
URI accessed for read	content://sms/draft	com.spike.old

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.spike.old

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.spike.old

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.spike.old

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.spike.old

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.spike.old

com.spike.old
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of SMS inbox messages.
- Reads the content of outgoing SMS messages.
- Acquires the wake lock
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4602

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

2

T1636

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
2690b5434d844fcaa4527744faff8700

SHA1
2ec4338390f8bf65c7340257a149da66cb792593

SHA256
7cbcebcccb83e5dccd98a5ffef0aa16201e30f684cfa743bd91d459e5a1286e2

SHA512
87cc00acf8271f454dc756dd6247a207d793a4bb3e593850efac906e976bfc023ba6a9b27d2ca3f9a3d6a22ed94e8ca20db7bd4cf24180f73f2f6e075c032b86

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
889aae346b72fa3bf1293888074da26a

SHA1
0626aa9b6ef6a3e695c92221a21ee323ebcc97a1

SHA256
40c6b36a316b596fca2b84cd4d65d745bd15d1c90c1428050b3e71917c1ee360

SHA512
5c06b9dc60abe38688b8b600557b1ebacbe51955f85776d18a010451774b529212f67f20ee5b05137fec76cb5975c33768e9ccc2c936aebe94b45f95cb11f3e4

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/oat/hq.json.cur.prof

Filesize
2KB

MD5
d458c5128abfe72d997f9af1128970f7

SHA1
046f9aa860d504f13ac380e547d34f46a5fe7b17

SHA256
19513aa23c93861ce6cef835d4d9eb3e7b9d640fd0c771fc121f995e45e52d65

SHA512
bf9b3fc0c97055cd0fc318d93686bd1d64921e6125560527927f0d4f94e5b0044ca8ccb479687c2aeb8466c1a2276a66d5f36a8450730ac66c48163b2f76dea0

Download Submit
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json

Filesize
2.4MB

MD5
fde08886038bffc5923fa098cd55d0cd

SHA1
d6f8dbbdd2ded86081cb81e690f5402552ee5345

SHA256
dae52bbee7f709fae9d91e06229c35b46d4559677f26152d4327fc1601d181be

SHA512
93b05624b145e56e081e0771b1ec635df4cf6109087abc67dabe7055ef745003109047370fd42bab83424b7ee396fc6116419f4c255bbd1a794ec558fa7a9091

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads