anubis | bb3d5729f7ad3276c771aec55bc913d71973f3b26ba24aab6aafae79e8ea0c6a

General

Target

BB3D5729F7AD3276C771AEC55BC913D71973F3B26BA24AAB6AAFAE79E8EA0C6A.apk
Size

1.9MB
MD5

1e6c4a307e1b19ebba9f676f2728b970
SHA1

1b23de0ecf9398a9c01679a7b18f84a77e3293de
SHA256

bb3d5729f7ad3276c771aec55bc913d71973f3b26ba24aab6aafae79e8ea0c6a
SHA512

99fc04f0862efc5a2f4111c5d77ee606d0ecff0c69c4685056fa6ef73566674f2821856f5ff974e4d1e5516c88ef2517b9045e179af30a63e737f9bb61b430df

Score

10^/10

anubis banker evasion infostealer trojan

Malware Config

Extracted

Family

anubis

C2

http://webdatapanel.xyz/

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json	5029	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json	5083	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/oat/x86/pCqPmG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json	5029	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation). 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf

jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation).
PID:5029
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/oat/x86/pCqPmG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5083

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json

Filesize
1.0MB

MD5
4e8ba1dbad99db6defdbdbcfcbdb83c3

SHA1
0b15865d4c900d6c9485ae2e9b653ac7b1c60818

SHA256
17a4b1cd276512aeff4d93b820256dadf0a62541cde81677d2f74e2134016782

SHA512
90d5f2816866b18e1dc15486a9468060eee35a86dfc4d50a370bba9e5bc13d3eed41743ccba881f7a16f4ad68df30b28c30d0e77c07c738b81d4c8d7d1337c5f

Download Submit
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json

Filesize
1.0MB

MD5
671fe1f6b48600a61e3bffeadf7bec15

SHA1
85fea3899180390aba77f38c580b19a63ebb2f31

SHA256
81e0b0bab5b7f2af550bb7a7d59896f2740d74a9150de50e421ee0db705b7398

SHA512
c3d003a2531b0653144b316be724f2ff4b9e02c82db397457dd92e72bb10358a8b4f4b6767b9ca9cd604fff5866b67fbef2eb3e965f901c215a1d20271e1691f

Download Submit
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json

Filesize
1.0MB

MD5
c0c8b13519753c11e3350d183446e28c

SHA1
9f51039e78d3e814aeacc48554ff8daad11a1fa8

SHA256
f69e1d83d435f01e669a0f8155461609a1b755423067d695c13fc82306e5df84

SHA512
0d3560267eda94e98bd2523404a36dfea2b2792313ad5564c27e6ee97797f6616b458d3a81e4d66517d0789229db602ce398c15a66512f719c5c17447c1ae762

Download Submit
/data/user/0/jozsqisehdozqqu.odyogitbannghurxpmj.ztcdkpkkgfftdf/app_DynamicOptDex/pCqPmG.json

Filesize
1.0MB

MD5
671fe1f6b48600a61e3bffeadf7bec15

SHA1
85fea3899180390aba77f38c580b19a63ebb2f31

SHA256
81e0b0bab5b7f2af550bb7a7d59896f2740d74a9150de50e421ee0db705b7398

SHA512
c3d003a2531b0653144b316be724f2ff4b9e02c82db397457dd92e72bb10358a8b4f4b6767b9ca9cd604fff5866b67fbef2eb3e965f901c215a1d20271e1691f

Download Submit

Analysis

Sharing