Analysis
-
max time kernel
3868525s -
max time network
143s -
platform
android_x86 -
resource
android-x86-arm-20220310-en -
submitted
21-05-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173.apk
Resource
android-x86-arm-20220310-en
Behavioral task
behavioral2
Sample
5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173.apk
Resource
android-x64-20220310-en
Behavioral task
behavioral3
Sample
5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173.apk
Resource
android-x64-arm64-20220310-en
General
-
Target
5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173.apk
-
Size
3.2MB
-
MD5
6f63145b71dccc2711e6baf40899f274
-
SHA1
a1b8f8b2fda17fce23dcdd1c6222b91dc772417c
-
SHA256
5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173
-
SHA512
1789ea12b9263278fbc648d229a59a04112e727f9c25a240b320476af06d9a29814bee8a1b265d7a6a998ce4dc77a45bde1238979d0c092485f12d94b8207f4a
Malware Config
Signatures
-
Anubis banker
Android banker that uses overlays.
-
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskowdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow -
Acquires the wake lock. 1 IoCs
Processes:
xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskowdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json 5069 xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow /data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json 5125 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json 5069 xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow -
Reads information about phone network operator.
-
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
Processes:
xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskowdescription ioc process Framework API call android.hardware.SensorManager.registerListener xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow
Processes
-
xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.jsonFilesize
2.0MB
MD5c3385449336997419d752f9802c86a1c
SHA16bcbdce954e7c9343178f3f980ec4d7dda17786b
SHA2561ccc4d4d0ea457319c2efc78401b84161a6a800b241f0dfb055531c9b2714b2c
SHA512758395f147ca7e6be0bffd770994d739ba19291d7aa9eb5f404666a86cdec60c98bbcc1dc072c4c7531cd4e9245388eea1e8102489b770cf074c804fed9042f8
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.jsonFilesize
2.0MB
MD502f9a2d07f0d087f9d0876ff1d3dd267
SHA1b86e3b8c5c24ad0c6e6d76a81e9689d876363555
SHA25638beed3eeb7fd0eb9b7df2ea80c11ba1f3f816162e380cd4701c4be03c6be2c6
SHA5122a99c0470c165454f496f12b18109f58fcea6e46dabb079c64ddf6e3539679cdc9dbe464d199b24461ba924298c73c23e7924c3f7e030f484bcc6ff7fbc50928
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.jsonFilesize
2.0MB
MD5a7f17b555e70b4b3f7f53bfa67154f08
SHA15522c1a5f4efd117db49b6b44a540172d53a763e
SHA2568d9e536d842a34c64d3023ed9c5b78d39dd3797c5eb083a85822e63f92200ae2
SHA512460670d9353781582630f494eb03a40bc54d9cce8e9006ad7f1183cd16f1294b93759b0edda9c7d46372616a3f706376c6a8eb21f72511cf0c32bf6a3cab6143
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.jsonFilesize
2.0MB
MD502f9a2d07f0d087f9d0876ff1d3dd267
SHA1b86e3b8c5c24ad0c6e6d76a81e9689d876363555
SHA25638beed3eeb7fd0eb9b7df2ea80c11ba1f3f816162e380cd4701c4be03c6be2c6
SHA5122a99c0470c165454f496f12b18109f58fcea6e46dabb079c64ddf6e3539679cdc9dbe464d199b24461ba924298c73c23e7924c3f7e030f484bcc6ff7fbc50928
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json.x86.flockMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/ZEDlscG.json.cur.profMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odexMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.vdexMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e