Analysis
-
max time kernel
1919180s -
max time network
144s -
platform
android_x86 -
resource
android-x86-arm-20220823-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system -
submitted
21-02-2023 06:11
Behavioral task
behavioral1
Sample
NitroGen(slow).apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
NitroGen(slow).apk
Resource
android-x64-20220823-en
Behavioral task
behavioral3
Sample
NitroGen(slow).apk
Resource
android-x64-arm64-20220823-en
General
-
Target
NitroGen(slow).apk
-
Size
1.5MB
-
MD5
c3a0d50701c5ca687b20b30476251c60
-
SHA1
18f3f51006fa5ad7e52ea131e4e2349a33de4c1a
-
SHA256
76a5004c64a23e9b068de2e80451d2c2032d72433bf2fd7330dff931aed4b886
-
SHA512
7b9239d25578084a64ca89bf4737b7e48360091033a8add2ef1d554df6c7f7d2862be0c6add966c9a2f061c118a29df490e00a36881de381f8023e56e3a2dab1
-
SSDEEP
24576:8tTBy9cBplEJGVQXHoGy1CQmKhAtK8lK/kF8QYnp703kkCCL4HgLn2R:YMK56GVCHt0Ckhq2sFxYnSk/CL/n2R
Malware Config
Signatures
-
Anubis banker
Android banker that uses overlays.
-
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
sampop.sampo.sampdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId sampop.sampo.samp Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText sampop.sampo.samp -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
sampop.sampo.sampdescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications sampop.sampo.samp -
Acquires the wake lock. 1 IoCs
Processes:
sampop.sampo.sampdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock sampop.sampo.samp -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
sampop.sampo.sampdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS sampop.sampo.samp -
Reads information about phone network operator.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
sampop.sampo.sampdescription ioc process Framework API call javax.crypto.Cipher.doFinal sampop.sampo.samp
Processes
-
sampop.sampo.samp1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data).
PID:3982