anubis | fcc8e879421efa4a87c18771ad6a5e20960dbdf80222f34024d110922a9ae63a

General

Target

ce448fb2d1575f3a74ee59c611f6ec06.apk
Size

1.7MB
MD5

ce448fb2d1575f3a74ee59c611f6ec06
SHA1

660ff941653eb59c2f21da93c36bffd90ec3926e
SHA256

fcc8e879421efa4a87c18771ad6a5e20960dbdf80222f34024d110922a9ae63a
SHA512

dff7e05e60611a5c62cdaab367cd7a99545541b75a4e21b3aa00c70369f1d9c62a84be1a0d3cf3bb29e2dc49dbe3e265e8cd3e4c21a8f560ca94e3bce4bbe264

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Extracted

Family

anubis

C2

http://3n0rm0us.cc/

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json	5024	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json	5053	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/oat/x86/xleUu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json	5024	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk

fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5024
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/oat/x86/xleUu.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5053

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json

Filesize
966KB

MD5
c9f284fea999fa6be11e6775862105d5

SHA1
4599bfa5d667c26b54b76587b828e162505444f4

SHA256
18979d0a8b4e025bedb709ad8dc0d8639142da8a6eb3b23765f99d93edb01759

SHA512
3f5542ac2bd41b36953db413964f2460ab21304f82600461f2290446cba8f5026f17b240c26ad0bc8aad5923f5f2a91d824f743beeeb89588096e61a0ae0914f

Download Submit
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json

Filesize
966KB

MD5
9253a43fc67c38c81b5c91ccf8d208bb

SHA1
759ac6f8d896d5d31af418b939455fcf54047166

SHA256
e2020ee25bc82c2667acc26ad26f0a314519b5ae283cc1292dae2c2ff0501617

SHA512
345c06ced94f1435790248c847d21e4a9d344464d65558a579e083f400772d379f914cc0007a56c3f9796b607d4dd47a5ef9fe3891bed4b52b924aa0a058f903

Download Submit
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json

Filesize
966KB

MD5
6636ca5463302b3d329f852e3d42cc0c

SHA1
ed19521b98165017c5ee57dfa121f2dede75b59e

SHA256
0c1d316a27fba2472e9373ce085016a09b28edd85e65efe3db625417df552244

SHA512
3cec7380fd3b80a0f97502fde8f1f10027b8a7ee3082a114175d1c6f67730282525e7228851935885affd9a438aefceec7153484154ce004b9cc99ea30b54ce7

Download Submit
/data/user/0/fyanuggduafxahhs.pcwqxwlmjrcxlufxieog.kaglywewk/app_DynamicOptDex/xleUu.json

Filesize
966KB

MD5
9253a43fc67c38c81b5c91ccf8d208bb

SHA1
759ac6f8d896d5d31af418b939455fcf54047166

SHA256
e2020ee25bc82c2667acc26ad26f0a314519b5ae283cc1292dae2c2ff0501617

SHA512
345c06ced94f1435790248c847d21e4a9d344464d65558a579e083f400772d379f914cc0007a56c3f9796b607d4dd47a5ef9fe3891bed4b52b924aa0a058f903

Download Submit

Analysis

Sharing