anubis | 6496931678cdd40d021d0e17d9087b10dda4ac187a54b0250ca917df4f02ce04 | Triage

Analysis

max time kernel
439991s
max time network
119s
platform
android_x86_64
resource
android-x86_64_arm64
submitted
28-04-2021 20:41

Sharing

Report Analysis Logs

General

Target

bfdcc19b_by_Libranalysis.apk
Size

1.0MB
MD5

bfdcc19b75c80a2c727fe89e6d1de5ee
SHA1

d63155e04a793241c34feec1857372db7b788bf5
SHA256

6496931678cdd40d021d0e17d9087b10dda4ac187a54b0250ca917df4f02ce04
SHA512

2a608efcef99b5549efe783e5c89ae1eb6f8592e29df75e2e147dbe01e0914a3875ceae33b64ab26351307860a799e0e8bf20deb76dd92c417c1bbe4411431c1

Score

10^/10

anubis banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

anubis

C2

http://ktosdelaetskrintotpidor.com

http://sositehuypidarasi.com

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

AES_key

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

wocwvy.czyxoxmbauu.slsa

pid process

4131 wocwvy.czyxoxmbauu.slsa
Requests enabling of the accessibility settings. 1 IoCs

Processes:

wocwvy.czyxoxmbauu.slsa

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS wocwvy.czyxoxmbauu.slsa

Uses reflection 5 IoCs

Processes:

wocwvy.czyxoxmbauu.slsa

description	pid	process
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4131	wocwvy.czyxoxmbauu.slsa
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4131	wocwvy.czyxoxmbauu.slsa
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4131	wocwvy.czyxoxmbauu.slsa
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4131	wocwvy.czyxoxmbauu.slsa
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4131	wocwvy.czyxoxmbauu.slsa

wocwvy.czyxoxmbauu.slsa
1⤵
- Removes its main activity from the application launcher
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4131

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...