zanubis | 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57

Resubmissions

25-11-2022 14:38

221125-rz2jhaec29 10

22-09-2022 17:03

220922-vk1v7scaa5 10

31-08-2022 15:17

220831-sn1y9sgacq 8

Analysis

max time kernel
2939958s
max time network
130s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
25-11-2022 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documento_2a3d3dd.pdf.apk
Size

4.0MB
MD5

8f78df9b128eb2b0fb576269bba6a9fb
SHA1

2128c991887a80152ca36689be503eaa6afc1b1f
SHA256

33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57
SHA512

4bce2fb6b264159c0b0dad184f834ecbb8eb5f908665e9eb2d783604374fb3fe03e9cdf5a4e167e308767d6c63d7f0302e9658ccb967f22affbd4bf2cf1a49cb
SSDEEP

98304:rIQAS1Qd2ofrWB/urhQuzI6TZS+DixH8bU4bFLzbcHez0:8QAejky4To+mgU4bFLg

Score

10^/10

zanubis banker evasion infostealer trojan

Malware Config

Extracted

Family

zanubis

Signatures

Zanubis
Zanubis is an Android banking malware first seen in 2022.
infostealer trojan banker zanubis

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.personal.pdf

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.personal.pdf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.personal.pdf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.personal.pdf

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.personal.pdf
Acquires the wake lock. 1 IoCs

Processes:

com.personal.pdf

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.personal.pdf

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.personal.pdf

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.personal.pdf

Requests disabling of battery optimizations (often used to enable hiding in the background). 2 IoCs

evasion

Processes:

com.personal.pdf:remotecom.personal.pdf

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf:remote
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.personal.pdf

Removes a system notification. 1 IoCs
evasion

Processes:

com.personal.pdf

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.personal.pdf

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.personal.pdf

com.personal.pdf
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4593

com.personal.pdf:remote
1⤵
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.personal.pdf/app_webview/.com.google.Chrome.VBM2Q4

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies

Filesize
64KB

MD5
dfb2098ca7b3bf16d6f5f1e7d3839af5

SHA1
ebb7a8bc886062d77a4092bd306b77a0ce7a3e9d

SHA256
e4119d32577d7fc63b267cc23eb7a9bbfb12d238f23e08918c38838fe0181224

SHA512
fccec45399258eb98220b7f01b492a72b8b3d1254dec6e196e344d89a0376c6ee24534a31a6675c866d4a17256d3ac6823657eaf04e1d386757d0cbfc6597e50

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Cookies-journal

Filesize
1KB

MD5
d4e4eee0972263acd14c7d8e61551c09

SHA1
47c31536dc2c92a1b362881e500400b03cbf7b46

SHA256
f0d223a7fed45b46f9161ccc184605e6d4abd279cac998bab526d6959eccdcf2

SHA512
69d1a1daad4b41f4a21d83e19ec5edc7e99d26c65b235f1ce05c4e1abf96aa94ddcfa19006566a2037e96de380d55272712646be31243ae6ec35e31cd0ccba3f

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/GPUCache/index-dir/temp-index

Filesize
96B

MD5
3bd2a280480d50f282acb76147f4df94

SHA1
d5b5483a6e043313612a60c7bc2bc093547e7107

SHA256
6ecdfb1cf47b43125566a21dafc5a53fdf04c11057c9ae5a0249b15b9fb4b02f

SHA512
2f9e25cfb6c751263df1854b4fd9567c80594ff01df1b635563ff9f3f8dbeafda847f12e20f96735bf56ebcbe6036a95c7094940e62ed84379e948d3c9d60c62

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data

Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.personal.pdf/app_webview/Default/Web Data-journal

Filesize
2KB

MD5
9e10b649637b49e4ab86e20451672677

SHA1
c3f4fe70e1d60560b6efb192ce6ba04b5eaf4afe

SHA256
90e5d7e25f6aed2da9d4f11cb12e3c0d1b4d07dbd8d4ccfb8de0c97bc873dbdb

SHA512
2f3ae64ddfa1411cc869db6a86173ae779a567f32d5f705fe5bb289965b599eb85d45c0681ca0a64fc62c73859e45ecd503807cd59efb1d4c9925542908dd5f0

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.personal.pdf/app_webview/webview_data.lock

Filesize
22B

MD5
b4a20f1b82eca33f2bec0f1697e103a3

SHA1
d91eb64d07ca5672c459e55fb2a6dd04e11f8257

SHA256
ca1e57005090711f2ccb105353c7c8458e6822023c693e5dbe64e0f438301a23

SHA512
2be642e7e75502a78ed4cb74b75936ac82b88c59b1b679ffebca897ba8241e18e763650bdf729960835c3a2a5a132f602061f3f876d48544b7ac915c3c44a08e

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Crashpad/settings.dat

Filesize
40B

MD5
72c528ee62b2df85452ecfe141cb0585

SHA1
bee9a67d9653229b4828d749504285989aa121a6

SHA256
72056b29b88ffcd9e247ab65057f8a31294d709d215e71afa9fd9d412023cc9c

SHA512
162a72eceea748a6d7adc930a5e9f31c34bc34b56d6df2117869e6f1bf67f032f99a3817a3f52d75832d741982e00fc51c26d58d5d671b63ab0b35e868810542

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/44e5652fb145311f_0

Filesize
3KB

MD5
14ad8de2fa816b01722cc7b5cf83779e

SHA1
257538f555ee195949e8dae8134645a069116f81

SHA256
97098abab9605b7b63d846eef7bf8831d1c3dd8042de25f5e1db4f4bf28828d4

SHA512
50843a7b2aeb105934d56835dbd7810d522a107d7c8e874b17604dfbd76450c8abbd89f848a555f65d834a031b72eed4fa0b15c56ae2434e30cf02c65f5b5984

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/6f729cdd8af6b4b7_0

Filesize
1KB

MD5
2d2dd515cf2170095586214466318e82

SHA1
1ae18c31cc26bc1cbea3036838492e9d32bcc4fe

SHA256
1e0402c0b5b6f4294cd77efdc6a6a4bd527a3c544d26148811a0b53b03bc685e

SHA512
c727d9f65cabc70b1edabcfda3f2a9a50c2cf5e68071ca91e4899ed79530a63478e6ce4c34ef04128fdd5e5d75c6d8ab76a524a389f515fc6b638c6f3c37fbea

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

Filesize
96B

MD5
4d7f2db3ba7ef5d72a330b54e80cd3f4

SHA1
1b63d5635099c91fbb5dc16ef08eff57c2b4d6db

SHA256
2bd744603d97b538e1d9c7b24a4bf182785d23711d0249699b5314feb0b2298c

SHA512
a135acf55e737adfb10dffba5fe656ed73d8ad4f68a82c447bf8eed2f2868e98480be2d6e78a53094eb63bc3ddb601dcf9abd73be233664818089efb49a2cf73

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

Filesize
96B

MD5
2df9db969ccf164c012d1e152899872d

SHA1
87a0192a097e71c148b9c0629fb0ee4a7701fe51

SHA256
b57b082e301a870861e89fa0551672c6784d536a75fddcb757e46c8e553adb63

SHA512
73efbafc11f328c4271756e1d4f4301c3b65e8de1bdc4b192bd4bc8390ca80357939bc9eaf38b7c024d62041d3bf8db90bb8ad8c08b69f771e8a5318d31724ee

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index

Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
144B

MD5
6d9fc588648552f8eef2997445b86706

SHA1
f56ece64dccd6e120e10aadb5511252538f22a40

SHA256
1bb569aa9528c2d4f4190cc1bea48c24049056a6ede4a02f75973e84ab924349

SHA512
526688c37f76033f855108f4c78d652c9e433647fb04441af26033a618af5d260c13d75a353269c98bb54c7b427d82187d7bee3a325ae79b93fb0052b2932539

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/Default/HTTP Cache/index-dir/temp-index

Filesize
192B

MD5
51e98d7f2ab5e425faf533b854199866

SHA1
6529eb6fd2413cb36c902e6541e0c337cc4c2512

SHA256
c88286b48c11acd19b880602b5cb1c46400b73320270859d34502e98d9f7fb95

SHA512
02b473d52c9e40ecc53f0696ea4a1668ae089377993a86bd292d23a31d98ecf550a6517f1056650c0bfea842f9bef32a6909bcf7aa943a4daef7fe49825405fe

Download Submit
/data/user/0/com.personal.pdf/cache/WebView/font_unique_name_table.pb

Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.personal.pdf/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit