zanubis | 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57

Resubmissions

25-11-2022 14:38

221125-rz2jhaec29 10

22-09-2022 17:03

220922-vk1v7scaa5 10

31-08-2022 15:17

220831-sn1y9sgacq 8

Analysis

max time kernel
4101805s
max time network
161s
platform
android_x64
resource
android-x64-arm64-20220823-en
submitted
31-08-2022 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documento_2a3d3dd.pdf.apk
Size

4.0MB
MD5

8f78df9b128eb2b0fb576269bba6a9fb
SHA1

2128c991887a80152ca36689be503eaa6afc1b1f
SHA256

33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57
SHA512

4bce2fb6b264159c0b0dad184f834ecbb8eb5f908665e9eb2d783604374fb3fe03e9cdf5a4e167e308767d6c63d7f0302e9658ccb967f22affbd4bf2cf1a49cb
SSDEEP

98304:rIQAS1Qd2ofrWB/urhQuzI6TZS+DixH8bU4bFLzbcHez0:8QAejky4To+mgU4bFLg

Score

10^/10

zanubis banker evasion infostealer trojan

Malware Config

Signatures

Zanubis
Zanubis is an Android banking malware first seen in 2022.
infostealer trojan banker zanubis

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.personal.pdf

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.personal.pdf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.personal.pdf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.personal.pdf

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.personal.pdf
Acquires the wake lock. 1 IoCs

Processes:

com.personal.pdf

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.personal.pdf

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.personal.pdf

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.personal.pdf

Requests disabling of battery optimizations (often used to enable hiding in the background). 2 IoCs

evasion

Processes:

com.personal.pdf:remotecom.personal.pdf

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf:remote
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf

Removes a system notification. 1 IoCs
evasion

Processes:

com.personal.pdf

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.personal.pdf

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.personal.pdf

com.personal.pdf
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4619

com.personal.pdf:remote
1⤵
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4789

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.personal.pdf/app_webview/.com.google.Chrome.EMeSqW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies

Filesize
64KB

MD5
dfb2098ca7b3bf16d6f5f1e7d3839af5

SHA1
ebb7a8bc886062d77a4092bd306b77a0ce7a3e9d

SHA256
e4119d32577d7fc63b267cc23eb7a9bbfb12d238f23e08918c38838fe0181224

SHA512
fccec45399258eb98220b7f01b492a72b8b3d1254dec6e196e344d89a0376c6ee24534a31a6675c866d4a17256d3ac6823657eaf04e1d386757d0cbfc6597e50

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies-journal

Filesize
1KB

MD5
442974cba1e93a9b53524b12738e5db1

SHA1
23f31cc97eb17b57e876bc10c19e71020bebe9d0

SHA256
354fd664da6236aa886ddc9f55f41a7896b1766a5f93e02bb3950d3d88760ff4

SHA512
fc47324572da895110ca288bbe14e616ee65beef36e582ef8b86e03ced25dd705ad1d9f053444f4235d83b28b160fe361e07699e82485610a6407a0a379e1825

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
af4d1a3a9d67c27a053b6e2784bfbcb8

SHA1
ad19926d4de783d4ef1c48e95bd228c89b796fcd

SHA256
4dd72236d4cdb93c164e23db79dee3f5231b13c3c93c6d24ecaaeaf8a262da7f

SHA512
f4a669409968762e9f2bdfffd4540e0041a8545205bf5963eda245c5983a9c3891849751736709d6e0a53e078558aac5221296eea4bb5ccad16cfeb33ed5f3f8

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Session Storage/000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Session Storage/000003.log

Filesize
61B

MD5
9f7eadc15e13d0608b4e4d590499ae2e

SHA1
afb27f5c20b117031328e12dd3111a7681ff8db5

SHA256
5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923

SHA512
88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Session Storage/LOCK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Session Storage/LOG

Filesize
128B

MD5
db90f0ae1d633963858ba3d6b8daa6fc

SHA1
7064f80ef1c3f95bdb287b35ef3f10a7660b5db0

SHA256
22ca2abe89064090308a25ba3f006caf4cbbebeff45e87a73e1243b37674ddbc

SHA512
78682ee32c4a16f8a82a9b0953d8c5a6f8b8e40872dee1aa375d43f0e72eb8a46d7afbd43db83bb9ed32e98416765a9fa3bca2c195a202de8efd7a1819658101

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Session Storage/MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
86b446a52a0c8f6006ca4f43b39879dd

SHA1
bfea227faae4fed36a01c65825970228fb48c5ad

SHA256
a0ffa96c5399e4b1c87f1f766d689c25c657d35d71a52aeb920c1379342829c4

SHA512
5c1a76afa251d50717f131952b513579502b0e02c7f6e6c140fee6a3f55c137166e6e24eae53cfa84ae3c2c6951b5eb62348bc5c24e7fcdb6b4b00c1de80d61b

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/webview_data.lock

Filesize
22B

MD5
3c19f4b9beb8368d625cca5c6f82c911

SHA1
6127f63d9ada5d660913faaf3b8e29173d22ac83

SHA256
52357686f43a3d0dd8da598f1c1fe38e1d35cbbeebfdae8285376e8fff12d344

SHA512
c3a964d304d78f53f61bf3419b71cc2b020d88f098b55684048b033f23dd4570cc9bbbd5d78fda452b61344a23984c6c40fb6c749d851040782fdcfbbe7c2bed

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
05cc2f25238e6c3140473c3a3c08a745

SHA1
e8873e510d61a3fb753e57e7106c149117d6c4a6

SHA256
d0a54de2a7dd334e95dc1abe323af8042f7b7217e683195145950b2cee53e0ec

SHA512
cfedb5d4313d80ba0adcfa0a5aa0e9e88583584c905ffb997a25a3e285fcf1179e697fb0e7041b6ff3f6240af365685a7cdd09783b55a66214a4b56e5422cbb0

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/6f729cdd8af6b4b7_0

Filesize
322B

MD5
d2aae7688f18bc828c511468a5fac06f

SHA1
b1723a0b26083f13fef7c4bfb65ccd85d34bcf64

SHA256
d10572400761004fd09b5235efea8f73320339290f9c73eead88d67314c792a3

SHA512
416bc33ea0aa4dad7f20fe8c8f3421374885a0561dc4dd4eb961f643695cbf0947cc64b8529ebbcbfba338b556e796d056453930761640aa85695add110d0dab

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
d63287650421313b7f27f8f940cee196

SHA1
72f891febc02705b4066bb340cc890152347a6b0

SHA256
80f1d184688a86ccc16c15c1aef594c984dd8b30b8bd8fce41dc352589431336

SHA512
e606efba56d6bed361b381e8ffd428b814479f7df6234db6ece888c9a96c231dd57b0788b876b626a7b4f790b2b60d7225e5700d45e8a1a972d3864c98a094b0

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
513fa9abdf2563294f94fa0614fd3f63

SHA1
014a3bd868a72c6dee79b5d138447871170f8dec

SHA256
baa3cf3c65a953e3e46dc40b2bb05c8178958226d80a84c7b3c7a27ce2113fa7

SHA512
0a344096e2910eb8f17a80a738eba1e8707bc2af2871e96cf1d87dadb278f528e8c7007510f02145f02e1ffd02c266c703bf881cb0e31abf0fdf0caf30e598e8

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
144B

MD5
925c23e0e6e7e99dffe29331e69628eb

SHA1
30e5664bb07ce9371a6acd1615d66ad7f4eb1986

SHA256
1bef225b2c3f2f65ec7f276effe2e09c4940fdc3b114ec9ebe127d27ac41a321

SHA512
6860184e08e1d34ccc9139bfa82e5a4d50b0cb64df8c167506278e67519789576c00db3177c1f091a1cc37e3f81ec619eb6473211d1b3f71180febf358100f46

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
96B

MD5
9adc1d87a3cb2f8369bce9a6a2a16128

SHA1
3bec961f3d672a10bf4d3390e1ad99f4309b2033

SHA256
452a022f1a3e51532a88a60ef630fe8428b20aaae04966f8be0933e66989019c

SHA512
a7ac9615dbbb177424f0474415d4762374829870fd7b3b9c0740dcf8b0544727cc05d727862a7d30710881f54d792ef7d9bdb1c6cdd723ddcba4344a58f890b2

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.personal.pdf/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit