anubis | b600fa379cabfd33a6ebc2e69fd71910bff442b2d90d0163ccaa997cc2199b7e

General

Target

b600fa379cabfd33a6ebc2e69fd71910bff442b2d90d0163ccaa997cc2199b7e.apk
Size

3.3MB
MD5

98f48dacd555fc1a4f90d69fb91ae4e8
SHA1

b8aec6d580883393cba4bcfa8e41857b130fa95d
SHA256

b600fa379cabfd33a6ebc2e69fd71910bff442b2d90d0163ccaa997cc2199b7e
SHA512

5dde926dea76716c1a8ff19e74d2393cec02f20eea00c9d228640c74231a2934df3137c1f3fc4d465c067012f7260699a62e5d4400d0b9696807b344359716b3

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

Acquires the wake lock. 1 IoCs

Processes:

wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/x86/Mnrr.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json	5167	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json	5244	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/x86/Mnrr.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json	5167	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

description ioc process

Framework API call android.hardware.SensorManager.registerListener wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls

wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5167

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/x86/Mnrr.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:5244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json
Filesize
2.1MB

MD5
f6435dd229bfa1783f8d36942965b54a

SHA1
33ff7384a347e57fa75a171334daa8d11563cd3f

SHA256
8ca71b7faedae899f9c9b53bddc2577891bf85d33eddd80ecc973b62299c9147

SHA512
5b5345c5838db53a570c13f49475d2ad7945f052b97d3f0f30d7c1701a36927a8bcd3036d661432a26e251e22f4e2859825010129e7a11403e6451b1207cde91

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json
Filesize
2.1MB

MD5
85906cde5d00bcc1230e87598b8a7bfc

SHA1
b54fc492fb25e7843029a57cf03f9bf24120287d

SHA256
c1751a864c125e703b5507e5404d99f762679bb183b2b4d654d16ffa0e25d470

SHA512
75a08b98a5c0126b5bcb40dda4ca867992828617db44761354a8ebe04518a1cd97629c323197b5af1fb6383007befa3ff3fcac6acb3405de2c46a2a96f7ef376

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json
Filesize
2.1MB

MD5
80be37c70d69e779f3dc7ba1e6fa8d6a

SHA1
3ac7ab733bbf965b918de1172009d756bc145fe1

SHA256
a4127d72c800879a143d5062d8d6ef3494cf367c8bb029bc1837d2dc3fb61517

SHA512
5e2c4e4b1d54d50d9b5fa47c4df1148cea115915cf2eb7105c795ed03685ae8b6c33f86df4a5a57df8ed156a184f0366cf03609a36526a69c561739b3dd3120e

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json
Filesize
2.1MB

MD5
85906cde5d00bcc1230e87598b8a7bfc

SHA1
b54fc492fb25e7843029a57cf03f9bf24120287d

SHA256
c1751a864c125e703b5507e5404d99f762679bb183b2b4d654d16ffa0e25d470

SHA512
75a08b98a5c0126b5bcb40dda4ca867992828617db44761354a8ebe04518a1cd97629c323197b5af1fb6383007befa3ff3fcac6acb3405de2c46a2a96f7ef376

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/Mnrr.json.x86.flock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/Mnrr.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/x86/Mnrr.odex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wzgcfrnkoecbdhyefubrbhpwqg.rblxehp.bfryhoyngspymwbuztgls/app_DynamicOptDex/oat/x86/Mnrr.vdex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing