anubis | d1fa9401808354978fc1aa91165b88c265b549915211e2f0294e7f38db9af8dc

General

Target

e491d383e9f89ba76864491598734e96.apk
Size

1.7MB
MD5

e491d383e9f89ba76864491598734e96
SHA1

7cb959f34dc4261d9cb37eb225319e72c8e91445
SHA256

d1fa9401808354978fc1aa91165b88c265b549915211e2f0294e7f38db9af8dc
SHA512

784114d1493e708a992570978d6add23fa0dc4835535b35c9fb4ef9037a7f85d38995509485cc772bc6f9edcb759f5752325687e3b34a5a26697ed88ceaf5fa2

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Extracted

Family

anubis

C2

http://r7ssh1ng.xyz

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json	4950	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json	5009	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/oat/x86/PYpgl.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json	4950	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa

drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:4950
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/oat/x86/PYpgl.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5009

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json

Filesize
985KB

MD5
46fadd77f9a67dbf5c4c722b444a5123

SHA1
5f6ee674773c77d1ebe6a06c099a1ae56850f8d3

SHA256
0524edb314ec4369bd027c90f7c1e8c878132fb2f9f9cf95e7dcaae7758ac4ba

SHA512
0bd75a2a617ec7e7c0ad8737c03ab3036164559ffde2d3631b53d4d202d01efeec2c1aaa7e6b9b56e152f18ca4e448e5da31961a8cde2d3d51680d140fd1e97c

Download Submit
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json

Filesize
985KB

MD5
8d1d685af936b898622a88cd468980fa

SHA1
7d0a7bd7c16f33a81dcd4b5d8bfa45bfb879e687

SHA256
7978c6cef7b934373f218da8a6510c631aa9abb6ff5e3527e9e3051dc3b63bb5

SHA512
94a4d7aabcced27299f4d8b46a6b7f17d27140bfd82e2fb06ca10f86942aab822452b1fe980f29ae78e182faecfba3327c054bcac45984790819ad5363ac6e42

Download Submit
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json

Filesize
985KB

MD5
f9391e0e8ad037744b70131b26c98d9a

SHA1
ad688093a31f32b7f137a595e60263892814d7c0

SHA256
12bda4f80ec7380e4f9cdb491f0a50871813293c74bae4381cfe1c5105392eb5

SHA512
a56382d9b1f68f892efa3887737c99836ee4baa21864bf6936b1a28da1379ea28ef5b860a4d03a2919d37726751085746fc125af707394ae43817d116ce3262e

Download Submit
/data/user/0/drdwdqauhhpmcupllolq.nldyxmytssfdufjcdampgkg.njlwxhyhpncfwfnucofygaeaosa/app_DynamicOptDex/PYpgl.json

Filesize
985KB

MD5
8d1d685af936b898622a88cd468980fa

SHA1
7d0a7bd7c16f33a81dcd4b5d8bfa45bfb879e687

SHA256
7978c6cef7b934373f218da8a6510c631aa9abb6ff5e3527e9e3051dc3b63bb5

SHA512
94a4d7aabcced27299f4d8b46a6b7f17d27140bfd82e2fb06ca10f86942aab822452b1fe980f29ae78e182faecfba3327c054bcac45984790819ad5363ac6e42

Download Submit

Analysis

Sharing