Analysis Overview
SHA256
36e2b02806cad49548927bed346c0e42c297574e832fb87d3180acf5d0df1793
Threat Level: Known bad
The file 36e2b02806cad49548927bed346c0e42c297574e832fb87d3180acf5d0df1793 was found to be: Known bad.
Malicious Activity Summary
Anubis banker
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Loads dropped Dex/Jar
Acquires the wake lock.
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-08-16 12:01
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-16 12:01
Reported
2022-08-16 12:04
Platform
android-x64-20220621-en
Max time kernel
2794074s
Max time network
133s
Command Line
Signatures
Anubis banker
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/4EBJqSFjPcvwcIHyKMnlhqIL4kmRDmkB.dex | N/A | N/A |
| N/A | /data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/4EBJqSFjPcvwcIHyKMnlhqIL4kmRDmkB.dex | N/A | N/A |
Reads information about phone network operator.
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
wocwvy.czyxoxmbauu.slsa
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 216.58.208.98:443 | tcp | |
| NL | 172.217.168.234:443 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| FR | 217.69.13.77:80 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/4EBJqSFjPcvwcIHyKMnlhqIL4kmRDmkB.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/4EBJqSFjPcvwcIHyKMnlhqIL4kmRDmkB.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/4EBJqSFjPcvwcIHyKMnlhqIL4kmRDmkB.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-16 12:01
Reported
2022-08-16 12:03
Platform
android-x64-arm64-20220621-en
Max time kernel
2794057s
Max time network
123s
Command Line
Signatures
Anubis banker
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/TnEKufx0e2m3IdnkPNpKRTfAJzPRJykT.dex | N/A | N/A |
| N/A | /data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/TnEKufx0e2m3IdnkPNpKRTfAJzPRJykT.dex | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
wocwvy.czyxoxmbauu.slsa
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 216.58.214.2:443 | tcp | |
| NL | 142.250.179.134:443 | tcp | |
| NL | 142.251.39.104:443 | tcp | |
| NL | 142.251.36.35:443 | tcp | |
| FR | 217.69.13.77:80 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.36:443 | udp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 216.58.208.106:443 | tcp |
Files
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/TnEKufx0e2m3IdnkPNpKRTfAJzPRJykT.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/TnEKufx0e2m3IdnkPNpKRTfAJzPRJykT.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |
/data/user/0/wocwvy.czyxoxmbauu.slsa/app_ded/TnEKufx0e2m3IdnkPNpKRTfAJzPRJykT.dex
| MD5 | c3d254a785f149f0f264b8e798d4f175 |
| SHA1 | e42732ff9b687818f3bdefbf9dd2f1d57e39b18c |
| SHA256 | 73e3d21aa3ce0b00f909902bbfeb484aa97dc8d6b884ca06f9caea009c395037 |
| SHA512 | 14caf82fcc68e4959605d0fb2a47456fba5e49de1a2699928d5c7813f8536c018823695d2b270f435636bf0a7b004a3b764316b18d0b2556f1e2f76904cb5a17 |