anubis | 0e33a0200df97e40d691d6f57749ac9584652f832c28fd8ad017154b5f9db2b3

General

Target

0e33a0200df97e40d691d6f57749ac9584652f832c28fd8ad017154b5f9db2b3.apk
Size

5.3MB
MD5

b35433e70c0e1db86caecef39a2dd7ed
SHA1

86a66462090f01e42fed28a70c9b34035ea6bec8
SHA256

0e33a0200df97e40d691d6f57749ac9584652f832c28fd8ad017154b5f9db2b3
SHA512

d880d1fb2433c9c6310779deee1cdcca525176cc551c4cb55044caf7bf1e80d82aba9eb4d171ca1a27b11fa54cf7b8775b88d6eeabe3da090bc65b4733c230e7

Score

10^/10

obfuscation stealth trojan banker infostealer anubis

Malware Config

Extracted

Family

anubis

C2

http://ktosdelaetskrintotpidor.com

http://sositehuypidarasi.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.mwurawatnafa.ryvrlda

pid process

5188 com.mwurawatnafa.ryvrlda
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.mwurawatnafa.ryvrlda

ioc pid process

/data/user/0/com.mwurawatnafa.ryvrlda/app_files/kmqbjcu.jar 5188 com.mwurawatnafa.ryvrlda

ioc	pid	process
/data/user/0/com.mwurawatnafa.ryvrlda/app_files/kmqbjcu.jar	5188	com.mwurawatnafa.ryvrlda

Suspicious use of android.app.ActivityManager.getRunningServices 7 IoCs

Processes:

com.mwurawatnafa.ryvrlda

pid	process
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda
5188	com.mwurawatnafa.ryvrlda

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

com.mwurawatnafa.ryvrlda

pid process

5188 com.mwurawatnafa.ryvrlda

Uses reflection 132 IoCs

obfuscation

Processes:

com.mwurawatnafa.ryvrlda

description	pid	process
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.ContextWrapper.getBaseContext	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.app.ContextImpl.getDir	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.io.File.getAbsolutePath	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.ContextWrapper.getAssets	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetManager.openNonAssetFd	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetFileDescriptor.createInputStream	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetFileDescriptor$AutoCloseInputStream.read	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetFileDescriptor$AutoCloseInputStream.read	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetFileDescriptor$AutoCloseInputStream.read	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method android.content.res.AssetFileDescriptor$AutoCloseInputStream.read	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.System.arraycopy	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.forName	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getConstructor	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.reflect.Constructor.newInstance	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.io.FileOutputStream.write	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.io.FileOutputStream.close	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getClassLoader	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.forName	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.forName	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getConstructor	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.reflect.Constructor.newInstance	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getDeclaredField	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.forName	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getDeclaredField	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Acesses field java.lang.Boolean.TRUE	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.reflect.Field.get	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.reflect.AccessibleObject.setAccessible	5188	com.mwurawatnafa.ryvrlda
Invokes method java.lang.Class.getMethods	5188	com.mwurawatnafa.ryvrlda

com.mwurawatnafa.ryvrlda
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Uses reflection
PID:5188

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads