Overview

overview

10

Static

static

6

ac78fe3a29...18.apk

android-9-x86

10

ac78fe3a29...18.apk

android-10-x64

10

ac78fe3a29...18.apk

android-11-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    181s
  • platform
    android_x64
  • resource
    android-x64-20240611.1-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system
  • submitted
    15-06-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac78fe3a2934efdfda73727906502f6a_JaffaCakes118.apk

  • Size

    2.9MB

  • MD5

    ac78fe3a2934efdfda73727906502f6a

  • SHA1

    ce34fa87b1020f5706b460453922e719b155184f

  • SHA256

    3ddb43b421adc9d90502d39ce68a76a3ed9addcc7866f270deb3d8effefa9e4e

  • SHA512

    a21633fef057a9c03ced6a941d10bc622cb14ce6e51069087a36a8dcf495d369bdbb431ba6b31cb37b957492ed7199075ff666228f322b9dd0a8827aa35f361e

  • SSDEEP

    49152:KaR7+JaR7+IaR7+yzEEaR7+MaR7+K3cT0Yke6kmLYT2pxcICwVUGECJ4lGXT07UT:Rd+kd+fd+qmd+rd+W5YV6d67GzJaK

Score
10/10
anubisbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

anubis

C2

http://xyz5xyz.ru

Signatures

  • Anubis banker

    Android banker that uses overlays.

    bankertrojaninfostealeranubis
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • qzabtmqofwaduixtloxxhgmw.eypxexmbx.dayfacukeqdwdenk
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:5174

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/qzabtmqofwaduixtloxxhgmw.eypxexmbx.dayfacukeqdwdenk/app_DynamicOptDex/PwO.json
    Filesize

    1.1MB

    MD5

    1bf371df8039cf9dd9969676e3e68cee

    SHA1

    7ac73763481f66dc744d1329f983e765b5b530bb

    SHA256

    5b62cd3de8b4303723a11105e369da98bfad52cc7cfbe34065ac896371d10cc1

    SHA512

    7c9f6bf767fcfc56bccc236f0ad98c7af6ecddd2084945201f2bdf22bdc60fae228fad2994460d674eb57dc7d5b0e3e28d8133ddfc6a5c1f5cc9e884145b05f7

    Download Submit

  • /data/data/qzabtmqofwaduixtloxxhgmw.eypxexmbx.dayfacukeqdwdenk/app_DynamicOptDex/PwO.json
    Filesize

    1.1MB

    MD5

    27c934a731fa515726efdfa96c55bd18

    SHA1

    b24bd3dce2f05ab3b64e342390b80d55dec979c4

    SHA256

    4b0e8c71237a2be2fc8380f87e081cf8ab687f59a1b7455f3095f5fa45bfa2c9

    SHA512

    04959e2a1ae7682151dc1a811a5db23bbd99c0519c30aae0b21f16c6d76b6f3a3b497e9e59d9d35940ec471740d379c52a93599ab1119a60b92bd12e96415602

    Download Submit