anubis | 5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173

General

Target

5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173.apk
Size

3.2MB
MD5

6f63145b71dccc2711e6baf40899f274
SHA1

a1b8f8b2fda17fce23dcdd1c6222b91dc772417c
SHA256

5ad5e92ba2421c0b111a25383d859604bd9abb8468907b185bdbfd4b0661a173
SHA512

1789ea12b9263278fbc648d229a59a04112e727f9c25a240b320476af06d9a29814bee8a1b265d7a6a998ce4dc77a45bde1238979d0c092485f12d94b8207f4a

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

Acquires the wake lock. 1 IoCs

Processes:

xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json	5069	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json	5125	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json	5069	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

description ioc process

Framework API call android.hardware.SensorManager.registerListener xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow

xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5069

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:5125

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json
Filesize
2.0MB

MD5
c3385449336997419d752f9802c86a1c

SHA1
6bcbdce954e7c9343178f3f980ec4d7dda17786b

SHA256
1ccc4d4d0ea457319c2efc78401b84161a6a800b241f0dfb055531c9b2714b2c

SHA512
758395f147ca7e6be0bffd770994d739ba19291d7aa9eb5f404666a86cdec60c98bbcc1dc072c4c7531cd4e9245388eea1e8102489b770cf074c804fed9042f8

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json
Filesize
2.0MB

MD5
02f9a2d07f0d087f9d0876ff1d3dd267

SHA1
b86e3b8c5c24ad0c6e6d76a81e9689d876363555

SHA256
38beed3eeb7fd0eb9b7df2ea80c11ba1f3f816162e380cd4701c4be03c6be2c6

SHA512
2a99c0470c165454f496f12b18109f58fcea6e46dabb079c64ddf6e3539679cdc9dbe464d199b24461ba924298c73c23e7924c3f7e030f484bcc6ff7fbc50928

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json
Filesize
2.0MB

MD5
a7f17b555e70b4b3f7f53bfa67154f08

SHA1
5522c1a5f4efd117db49b6b44a540172d53a763e

SHA256
8d9e536d842a34c64d3023ed9c5b78d39dd3797c5eb083a85822e63f92200ae2

SHA512
460670d9353781582630f494eb03a40bc54d9cce8e9006ad7f1183cd16f1294b93759b0edda9c7d46372616a3f706376c6a8eb21f72511cf0c32bf6a3cab6143

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json
Filesize
2.0MB

MD5
02f9a2d07f0d087f9d0876ff1d3dd267

SHA1
b86e3b8c5c24ad0c6e6d76a81e9689d876363555

SHA256
38beed3eeb7fd0eb9b7df2ea80c11ba1f3f816162e380cd4701c4be03c6be2c6

SHA512
2a99c0470c165454f496f12b18109f58fcea6e46dabb079c64ddf6e3539679cdc9dbe464d199b24461ba924298c73c23e7924c3f7e030f484bcc6ff7fbc50928

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/ZEDlscG.json.x86.flock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/ZEDlscG.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.odex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/xngcajqbsnckkydsqdtgu.idddnuc.hoktniwwhdhzjhskow/app_DynamicOptDex/oat/x86/ZEDlscG.vdex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing