xenomorph | 4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3

Analysis

max time kernel
149s
max time network
152s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
25/02/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3.apk
Size

2.4MB
MD5

ef93ba12fecfa1420fa8eef85e79564d
SHA1

50c1a8eb6fdc3f7233ba705ffca1e5ae30c9d83e
SHA256

4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3
SHA512

bc63552ef3830616723d3665330b96f54ca19995139fc4bf480acba2a7ede4a5d4ceba5350503d13a8245cbef9eb4651f9079496e9d6000fdbbc24074509f5b8
SSDEEP

49152:x5R6B8ocgwMdPFn2k637nHEHgC1HrylbQlDaf5rMyObPEjA6:x5RJs3VFornHTC1HK6OfeVPEjA6

Score

10^/10

xenomorph banker collection credential_access defense_evasion discovery evasion impact infostealer persistence trojan

Malware Config

Extracted

Family

xenomorph

simpleyo5.tk

simpleyo5.cf

kart12sec.ga

kart12sec.gq

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph
Xenomorph family
xenomorph

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json	5105	com.spike.old

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.spike.old
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.spike.old

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.spike.old

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.spike.old

Reads the content of outgoing SMS messages. 1 TTPs 2 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/sent	com.spike.old
URI accessed for read	content://sms/draft	com.spike.old

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.spike.old

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.spike.old

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.spike.old

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.spike.old

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.spike.old

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.spike.old

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.spike.old

com.spike.old
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of SMS inbox messages.
- Reads the content of outgoing SMS messages.
- Acquires the wake lock
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5105

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
2690b5434d844fcaa4527744faff8700

SHA1
2ec4338390f8bf65c7340257a149da66cb792593

SHA256
7cbcebcccb83e5dccd98a5ffef0aa16201e30f684cfa743bd91d459e5a1286e2

SHA512
87cc00acf8271f454dc756dd6247a207d793a4bb3e593850efac906e976bfc023ba6a9b27d2ca3f9a3d6a22ed94e8ca20db7bd4cf24180f73f2f6e075c032b86

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
889aae346b72fa3bf1293888074da26a

SHA1
0626aa9b6ef6a3e695c92221a21ee323ebcc97a1

SHA256
40c6b36a316b596fca2b84cd4d65d745bd15d1c90c1428050b3e71917c1ee360

SHA512
5c06b9dc60abe38688b8b600557b1ebacbe51955f85776d18a010451774b529212f67f20ee5b05137fec76cb5975c33768e9ccc2c936aebe94b45f95cb11f3e4

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/oat/hq.json.cur.prof

Filesize
2KB

MD5
d8ace660017c3f5e68004a54ccf0bbea

SHA1
b58743d4c913305a3dfc659c31b16a33fb9d6b0e

SHA256
969bc48c589201d8aca51b90afb5b8cf5d40963b66ec45cd9150abe2dac19e04

SHA512
0a07d0b50e5023acf0dcb293df601bba94d46c0f9ddcae47caeca3b3914df66c60934d08bcc1f48663311fd4fd08b3513bc3b8b9e9fa4b45590643e18bb35a0f

Download Submit
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json

Filesize
2.4MB

MD5
fde08886038bffc5923fa098cd55d0cd

SHA1
d6f8dbbdd2ded86081cb81e690f5402552ee5345

SHA256
dae52bbee7f709fae9d91e06229c35b46d4559677f26152d4327fc1601d181be

SHA512
93b05624b145e56e081e0771b1ec635df4cf6109087abc67dabe7055ef745003109047370fd42bab83424b7ee396fc6116419f4c255bbd1a794ec558fa7a9091

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads