anubis | 78f32b2a0e812f81d34b211faf39a49cd951fee229a0a3d043a30733ddcb4541

General

Target

78f32b2a0e812f81d34b211faf39a49cd951fee229a0a3d043a30733ddcb4541.apk
Size

3.1MB
MD5

eef3693b3fcb4eadd2c523ff30942f47
SHA1

5e73c958ffcc85bce48d93c01e47492b20581686
SHA256

78f32b2a0e812f81d34b211faf39a49cd951fee229a0a3d043a30733ddcb4541
SHA512

6784488d44df99896637cf3063b182af2e5291ae01df0a8017f4cd7d3f4c750f770031fa9a01e5a9114d5cf61060026cf6e40d8e4957768e4b68a2c45066d031

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

Acquires the wake lock. 1 IoCs

Processes:

xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

ioc	pid	process
/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/tJ.json	6891	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix
/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/tJ.json	6891	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs
evasion

Processes:

xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

description ioc process

Framework API call android.hardware.SensorManager.registerListener xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix

xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:6891

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/oat/tJ.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/tJ.json

Filesize
1.8MB

MD5
01f6a44b5c97d2bef151fdf7a4d13ff1

SHA1
aac7b8cc2202528b735b1e228c97d4574023ba46

SHA256
a7e36def14fbeeaf5e03f7fefaea089a049554ae6df71f29660a5d60f412bbae

SHA512
5a86dbad83eb824324f553a842824e3b8ef8fe79aa0aa803a0d883bafa7aa5e374aac405e4cabe38118511d34c0be71f5aa44119eb3174c32dd03fdccca155fe

Download Submit
/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/tJ.json

Filesize
1.8MB

MD5
32250be4831b89beb669c637d434c204

SHA1
b116981328c18edbeea5f9087304b2c70048d5f8

SHA256
b6d0c61fcde5188f2414bcef3118b8107337ff8e5ef16706dd21bc42e4edfacc

SHA512
8ef5668510d538059854d13dde8394a4d4f0514f656550e5a47594679b2c8c8c22dd6beaac0e2b62bd7156b2c0dfaed24173e61058add03932568c2e855ed50b

Download Submit
/data/user/0/xswkgopyudqnjxplle.argyoiwuj.ydulnmpdix/app_DynamicOptDex/tJ.json

Filesize
1.8MB

MD5
32250be4831b89beb669c637d434c204

SHA1
b116981328c18edbeea5f9087304b2c70048d5f8

SHA256
b6d0c61fcde5188f2414bcef3118b8107337ff8e5ef16706dd21bc42e4edfacc

SHA512
8ef5668510d538059854d13dde8394a4d4f0514f656550e5a47594679b2c8c8c22dd6beaac0e2b62bd7156b2c0dfaed24173e61058add03932568c2e855ed50b

Download Submit

Analysis

Sharing