zanubis | 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57

Resubmissions

25-11-2022 14:38

221125-rz2jhaec29 10

22-09-2022 17:03

220922-vk1v7scaa5 10

31-08-2022 15:17

220831-sn1y9sgacq 8

Analysis

max time kernel
1714035s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
22-09-2022 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documento_2a3d3dd.pdf.apk
Size

4.0MB
MD5

8f78df9b128eb2b0fb576269bba6a9fb
SHA1

2128c991887a80152ca36689be503eaa6afc1b1f
SHA256

33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57
SHA512

4bce2fb6b264159c0b0dad184f834ecbb8eb5f908665e9eb2d783604374fb3fe03e9cdf5a4e167e308767d6c63d7f0302e9658ccb967f22affbd4bf2cf1a49cb
SSDEEP

98304:rIQAS1Qd2ofrWB/urhQuzI6TZS+DixH8bU4bFLzbcHez0:8QAejky4To+mgU4bFLg

Score

10^/10

zanubis banker evasion infostealer trojan

Malware Config

Extracted

Family

zanubis

92.38.132.217

Signatures

Zanubis
Zanubis is an Android banking malware first seen in 2022.
infostealer trojan banker zanubis

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.personal.pdf

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.personal.pdf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.personal.pdf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.personal.pdf

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.personal.pdf
Acquires the wake lock. 1 IoCs

Processes:

com.personal.pdf

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.personal.pdf

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.personal.pdf

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.personal.pdf

Requests disabling of battery optimizations (often used to enable hiding in the background). 2 IoCs

evasion

Processes:

com.personal.pdfcom.personal.pdf:remote

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf:remote

Removes a system notification. 1 IoCs
evasion

Processes:

com.personal.pdf

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.personal.pdf

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.personal.pdf

com.personal.pdf
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4632

com.personal.pdf:remote
1⤵
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4891

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.personal.pdf/app_webview/.com.google.Chrome.HZofF7

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies

Filesize
64KB

MD5
dfb2098ca7b3bf16d6f5f1e7d3839af5

SHA1
ebb7a8bc886062d77a4092bd306b77a0ce7a3e9d

SHA256
e4119d32577d7fc63b267cc23eb7a9bbfb12d238f23e08918c38838fe0181224

SHA512
fccec45399258eb98220b7f01b492a72b8b3d1254dec6e196e344d89a0376c6ee24534a31a6675c866d4a17256d3ac6823657eaf04e1d386757d0cbfc6597e50

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies-journal

Filesize
1KB

MD5
a22eef2900f6bef92eb3a2f05bc4b00b

SHA1
f8602ce7db611f326ddcb7876b4be551725b201f

SHA256
d0dcaedf3508bdbc1772947d286f0bb1b5b49c801bd98965f81983affb9d3f21

SHA512
1029e2572676b6b51d9bbda1a95a23be19c7fa1cc500aa19c772fc45e99100f5f4d5e29227e3c2ae0f7d638c195bee24cf8c4327d17e3d11fea1fcf2fc46ff89

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
8bc7699d773af049996a701ed913bab9

SHA1
874fb1fa87bc05d98d73941f0ec569a997a3e87f

SHA256
fdab28b19a2bfa8e54b5317589ef2b2b8881b8ea757ea3e7a3d814f8e2769349

SHA512
a43a1dfcccd965ab60a2fc860080529d77bd0319e0a8d7276271b59ea4d7836bbc606a8b5d4ee6baaee6abda88cd95403f4150bb56f7d4e851d5e909c4dfc0c4

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
39aec1051914c83f21a4dd9fda3bd525

SHA1
d9590c1a8d98732c0f1a123d9043a67e8f9fb36b

SHA256
8d805e33f05008b77ff9fccd396a27bff0aba147b130e495b92b57953d7bd885

SHA512
0767f10d8c5aec3f12a61b295060c8bdd7421d4377d1a88a1615924c42e607cdc2a96db7f9dfa7b08b65275877e0bdb3d44acfae0241295896dd9a13c9ccc7eb

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/webview_data.lock

Filesize
22B

MD5
8ca94124196ba24846410bef0d8b050a

SHA1
eeb5b27c37bdc18b8c13bd384d5b98c88b0c265b

SHA256
a6350dd18244fcb2d8f36ec8b77563efcd70f80772a160972a6f464b03749479

SHA512
83fb346308185b3a50fb68dadd8437daec7c7b104cdbeba8fb0efd33f892a9aaf8067cd9ec1e578c41a71bd81a2339c8e16b0ada7a5dc6e7be08be396a02b182

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
18c55b80312fa000dae26cdaa355af38

SHA1
81bff03be19f0879d827a659ac4821ab20f5f685

SHA256
52c085e32c0f2530061578d67f614c08c30a77b9fac962bb4483dc54686ec3f2

SHA512
e60fa4269848ff5c24cb8030f9120e8d7d76373868e4204ec51bb55ffcef53a13ca24201ccbdb4cf7b909c2142a563f3df2d8b9c3821eecf85e30d39efd1d930

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/6f729cdd8af6b4b7_0

Filesize
322B

MD5
d2aae7688f18bc828c511468a5fac06f

SHA1
b1723a0b26083f13fef7c4bfb65ccd85d34bcf64

SHA256
d10572400761004fd09b5235efea8f73320339290f9c73eead88d67314c792a3

SHA512
416bc33ea0aa4dad7f20fe8c8f3421374885a0561dc4dd4eb961f643695cbf0947cc64b8529ebbcbfba338b556e796d056453930761640aa85695add110d0dab

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
00e8a000044c2f786190c6aaea5bf6f8

SHA1
422edcb462dff6826cb63ef19568357212c2eda6

SHA256
cead807069501433724464dfaa7dd4ea99f0361f04e5291e1cbdb609d65fd9d1

SHA512
869e1838e528d880c0fd371a7d95d922df2900e52a1321437f7faaa584624536e2144b1944d16003153ad41cefa476a43963ffaa1ed0f698686b27e61c5fef90

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
184d2e6888a5dc560fda5f5f9dd0cbe5

SHA1
b184087f904a28ac58445f43331f6ca98073a863

SHA256
be78c358f687a9fc5455f17b238b03c96b65deca0de9ed286357fc1f71eb19a3

SHA512
144139bb250c0e1e5e9ae642a3b151dab11fc8b6b915d8c4de4518956df5e54446df228270db06ca30c529be3ef02027019577ed8838b88cc0ce4aa6682f8afe

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
144B

MD5
dd0f411ef9dcaf5f9b000659704aac66

SHA1
a8114608e65d45a8d0db0f46d03740df822fe91b

SHA256
145eadc5b2552c60e8b6b69e71fba9403fe967f9f962e6d7e80e3c18816aed3e

SHA512
626e29829b10a0e52ac44a9f01b0b8f23796b6027e76d993474b180defbb4fc506ffac1732915c23842b5107d533c2470a4030f4b8584af0315c118b8094c9dc

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
96B

MD5
2c2c94ca2b77d242d29b8c25bfb184df

SHA1
93601b2ac1ef7cecc617e116a95f963827b690ab

SHA256
8d63257b4130c51837eaf0577d7803095f9ba2b5fcff2839b545bcd43c4fb755

SHA512
1bfc07f3572e5d8cb792c689d7367f7c643986ea6c68cb423c892405157958908d8f53a946178204dd084f5ca77353c98f9a3dc6c2bfe3cbb8639ebf71dd2226

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.personal.pdf/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit