xenomorph | 4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3

General

Target

4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3.apk
Size

2.4MB
MD5

ef93ba12fecfa1420fa8eef85e79564d
SHA1

50c1a8eb6fdc3f7233ba705ffca1e5ae30c9d83e
SHA256

4700a4e1f24f2d74a1d66f82ad12bd87f190756cfcf815c3e21b6c6282e0d0c3
SHA512

bc63552ef3830616723d3665330b96f54ca19995139fc4bf480acba2a7ede4a5d4ceba5350503d13a8245cbef9eb4651f9079496e9d6000fdbbc24074509f5b8
SSDEEP

49152:x5R6B8ocgwMdPFn2k637nHEHgC1HrylbQlDaf5rMyObPEjA6:x5RJs3VFornHTC1HK6OfeVPEjA6

Score

10^/10

xenomorph banker collection credential_access defense_evasion discovery evasion impact infostealer trojan

Malware Config

Extracted

Family

xenomorph

C2

simpleyo5.tk

simpleyo5.cf

kart12sec.ga

kart12sec.gq

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph
Xenomorph family
xenomorph

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json	4727	com.spike.old

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.spike.old
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.spike.old

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.spike.old

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.spike.old

Reads the content of outgoing SMS messages. 1 TTPs 2 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/sent	com.spike.old
URI accessed for read	content://sms/draft	com.spike.old

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.spike.old

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.spike.old

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.spike.old

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.spike.old

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.spike.old

com.spike.old
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of SMS inbox messages.
- Reads the content of outgoing SMS messages.
- Acquires the wake lock
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4727

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

2

T1636

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
2690b5434d844fcaa4527744faff8700

SHA1
2ec4338390f8bf65c7340257a149da66cb792593

SHA256
7cbcebcccb83e5dccd98a5ffef0aa16201e30f684cfa743bd91d459e5a1286e2

SHA512
87cc00acf8271f454dc756dd6247a207d793a4bb3e593850efac906e976bfc023ba6a9b27d2ca3f9a3d6a22ed94e8ca20db7bd4cf24180f73f2f6e075c032b86

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/hq.json

Filesize
893KB

MD5
889aae346b72fa3bf1293888074da26a

SHA1
0626aa9b6ef6a3e695c92221a21ee323ebcc97a1

SHA256
40c6b36a316b596fca2b84cd4d65d745bd15d1c90c1428050b3e71917c1ee360

SHA512
5c06b9dc60abe38688b8b600557b1ebacbe51955f85776d18a010451774b529212f67f20ee5b05137fec76cb5975c33768e9ccc2c936aebe94b45f95cb11f3e4

Download Submit
/data/data/com.spike.old/app_DynamicOptDex/oat/hq.json.cur.prof

Filesize
2KB

MD5
493327842e69d1cfbb5a45e4d9a0f11c

SHA1
a11bb979e43659014dbb62cf733e42c2c7ba200e

SHA256
c2076910509157fa2936df7201251fd30b0059c66a8a4bfb0d6962f253f35797

SHA512
4ad347ec976ecf6efd49f0b4c51daa611f4550bbefd12eed35ad6312fb00cd6ca8f77495f57f0b4ddb198e2fe28c504f075dd8e827c86000fb467cc4d005d08d

Download Submit
/data/user/0/com.spike.old/app_DynamicOptDex/hq.json

Filesize
2.4MB

MD5
fde08886038bffc5923fa098cd55d0cd

SHA1
d6f8dbbdd2ded86081cb81e690f5402552ee5345

SHA256
dae52bbee7f709fae9d91e06229c35b46d4559677f26152d4327fc1601d181be

SHA512
93b05624b145e56e081e0771b1ec635df4cf6109087abc67dabe7055ef745003109047370fd42bab83424b7ee396fc6116419f4c255bbd1a794ec558fa7a9091

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads