anubis | 0803711244bf3ab0b36a0993d640691be059a8bf407070834bfb427396cbb600

General

Target

0803711244BF3AB0B36A0993D640691BE059A8BF407070834BFB427396CBB600.apk
Size

2.6MB
MD5

201aa553f5c98b69c975ab2e58704dce
SHA1

47a77bede86f2227491876a6dc8719fecd2c12fe
SHA256

0803711244bf3ab0b36a0993d640691be059a8bf407070834bfb427396cbb600
SHA512

cb08c024559862879182bbafcdb97c3a6e54ffa1d65b7948041f81b1b8327502035bbceb79806082c67ed970dc63cbfb37ba065c39e659041aaf6e5d37d5a93c

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Extracted

Family

anubis

C2

http://lastknight.xyz/

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json	5158	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json	5204	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/oat/x86/Hw.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json	5158	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol

jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5158
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/oat/x86/Hw.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json

Filesize
1.0MB

MD5
51588d04a2ed20d8f905f8f79a93424f

SHA1
03e198e88016962f0c36dd02c7d51163a2ca32f7

SHA256
c7b9d30a2b30e0094d31d4cf8e7dd792c0a05596f63289315172ecfc7ef56655

SHA512
55c766323560d9f621feefea4552551870bb08e097c189df162040067111966d380d4115a9aa38459e806d61ac9effd4a4d983701e1d7e93afcc24541655be5b

Download Submit
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json

Filesize
1.0MB

MD5
9215e1c73441a676e58fd2145fc6cae8

SHA1
e805289cd48ddc256788d95eccc341a93d0be367

SHA256
cd19116835c30e72c2962d5927cfe90a3b969fec6adb73745e9e915f2dbe4c1f

SHA512
a5283dcd131fcc37eed54f42536ba9cbf209eee03a21d586e9d86ffd8f5d9885cb52ba6de69011a4d8791ac045f10e25b7999ca42626ad23ef3844922a50ef15

Download Submit
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json

Filesize
1.0MB

MD5
328259238caa931100d918e996f37a20

SHA1
280f70f044bcb6971601e6c12e64a8378da12ea0

SHA256
21ab28e0ce8ea54414f6fbef7520a842ae9973c8e8006404068221895fb3414b

SHA512
a05eff3e6d46a62db0585432f081b4cfb9be1cc7e2b7d9b2db67984eda149fb8f430cd25f390cc36be60916c87fa7bee2358cada620494a1e89822839d4a4724

Download Submit
/data/user/0/jzjoeyec.jickdalgdphbbgfwwsqq.mdleckaegyywxzxol/app_DynamicOptDex/Hw.json

Filesize
1.0MB

MD5
9215e1c73441a676e58fd2145fc6cae8

SHA1
e805289cd48ddc256788d95eccc341a93d0be367

SHA256
cd19116835c30e72c2962d5927cfe90a3b969fec6adb73745e9e915f2dbe4c1f

SHA512
a5283dcd131fcc37eed54f42536ba9cbf209eee03a21d586e9d86ffd8f5d9885cb52ba6de69011a4d8791ac045f10e25b7999ca42626ad23ef3844922a50ef15

Download Submit

Analysis

Sharing