Analysis
-
max time kernel
18s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 16:56
General
-
Target
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe
-
Size
268KB
-
MD5
58d328c859ed26102d84959e95de9bca
-
SHA1
d40750fd353b093a0418b167eccd4c2124c64594
-
SHA256
71e944842708dde91a617790c517a3295db2ea867f894c4f465bfee2977fbe38
-
SHA512
8818c5f35e86d902e59d16a8bc945038e6eec4fabb442fd5c015d617c7150e56c71717a199fa82f4c08d8e9d9181fdf23f0ddba83d734e6f2c5e40a00a17565e
-
SSDEEP
6144:rcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37PpdHQd:rcW7KEZlPzCy37Rde
Malware Config
Extracted
darkcomet
ip
kvejo991.ddns.net:1604
DC_MUTEX-B1GXAHA
-
InstallPath
winlogon.exe
-
gencode
w3TGdlYWXTQL
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
windows
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4368 attrib.exe 820 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2164 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 2984 winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/1180-0-0x0000000000400000-0x00000000004C0000-memory.dmp upx C:\Users\Admin\AppData\Roaming\winlogon.exe upx behavioral1/memory/2984-63-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral1/memory/1180-66-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral1/memory/2984-68-0x0000000000400000-0x00000000004C0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exewinlogon.exedescription pid process Token: SeIncreaseQuotaPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeSecurityPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeTakeOwnershipPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeLoadDriverPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeSystemProfilePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeSystemtimePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeProfSingleProcessPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeIncBasePriorityPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeCreatePagefilePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeBackupPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeRestorePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeShutdownPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeDebugPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeSystemEnvironmentPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeChangeNotifyPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeRemoteShutdownPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeUndockPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeManageVolumePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeImpersonatePrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeCreateGlobalPrivilege 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: 33 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: 34 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: 35 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: 36 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe Token: SeIncreaseQuotaPrivilege 2984 winlogon.exe Token: SeSecurityPrivilege 2984 winlogon.exe Token: SeTakeOwnershipPrivilege 2984 winlogon.exe Token: SeLoadDriverPrivilege 2984 winlogon.exe Token: SeSystemProfilePrivilege 2984 winlogon.exe Token: SeSystemtimePrivilege 2984 winlogon.exe Token: SeProfSingleProcessPrivilege 2984 winlogon.exe Token: SeIncBasePriorityPrivilege 2984 winlogon.exe Token: SeCreatePagefilePrivilege 2984 winlogon.exe Token: SeBackupPrivilege 2984 winlogon.exe Token: SeRestorePrivilege 2984 winlogon.exe Token: SeShutdownPrivilege 2984 winlogon.exe Token: SeDebugPrivilege 2984 winlogon.exe Token: SeSystemEnvironmentPrivilege 2984 winlogon.exe Token: SeChangeNotifyPrivilege 2984 winlogon.exe Token: SeRemoteShutdownPrivilege 2984 winlogon.exe Token: SeUndockPrivilege 2984 winlogon.exe Token: SeManageVolumePrivilege 2984 winlogon.exe Token: SeImpersonatePrivilege 2984 winlogon.exe Token: SeCreateGlobalPrivilege 2984 winlogon.exe Token: 33 2984 winlogon.exe Token: 34 2984 winlogon.exe Token: 35 2984 winlogon.exe Token: 36 2984 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winlogon.exepid process 2984 winlogon.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.execmd.execmd.exewinlogon.exedescription pid process target process PID 1180 wrote to memory of 2532 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 2532 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 2532 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 4820 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 4820 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 4820 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe cmd.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 1180 wrote to memory of 2164 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe notepad.exe PID 2532 wrote to memory of 820 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 820 2532 cmd.exe attrib.exe PID 2532 wrote to memory of 820 2532 cmd.exe attrib.exe PID 4820 wrote to memory of 4368 4820 cmd.exe attrib.exe PID 4820 wrote to memory of 4368 4820 cmd.exe attrib.exe PID 4820 wrote to memory of 4368 4820 cmd.exe attrib.exe PID 1180 wrote to memory of 2984 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe winlogon.exe PID 1180 wrote to memory of 2984 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe winlogon.exe PID 1180 wrote to memory of 2984 1180 Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe winlogon.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe PID 2984 wrote to memory of 1248 2984 winlogon.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 820 attrib.exe 4368 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe"C:\Users\Admin\AppData\Local\Temp\Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4368 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
PID:2164 -
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1248
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD558d328c859ed26102d84959e95de9bca
SHA1d40750fd353b093a0418b167eccd4c2124c64594
SHA25671e944842708dde91a617790c517a3295db2ea867f894c4f465bfee2977fbe38
SHA5128818c5f35e86d902e59d16a8bc945038e6eec4fabb442fd5c015d617c7150e56c71717a199fa82f4c08d8e9d9181fdf23f0ddba83d734e6f2c5e40a00a17565e