Malware Analysis Report

2024-09-09 13:32

Sample ID 240718-11k3ksyepq
Target ea0ea8d61d7e8a6aef90f1d21ed65d31c3e49ca235cecee322c9dfe631414c58.bin
SHA256 ea0ea8d61d7e8a6aef90f1d21ed65d31c3e49ca235cecee322c9dfe631414c58
Tags
anubis banker collection credential_access evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea0ea8d61d7e8a6aef90f1d21ed65d31c3e49ca235cecee322c9dfe631414c58

Threat Level: Known bad

The file ea0ea8d61d7e8a6aef90f1d21ed65d31c3e49ca235cecee322c9dfe631414c58.bin was found to be: Known bad.

Malicious Activity Summary

anubis banker collection credential_access evasion infostealer persistence stealth trojan

Anubis banker

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Acquires the wake lock

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-18 22:07

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 22:06

Reported

2024-07-18 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

19s

Max time network

148s

Command Line

com.kcyhit.tjdedz

Signatures

Anubis banker

banker trojan infostealer anubis

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar N/A N/A
N/A /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.kcyhit.tjdedz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.kcyhit.tjdedz/app_files/oat/x86/lyqpustqpfi.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

MD5 ad0b831361de0aa3ef9f15004bf8f574
SHA1 869f3107c20842e3e7897baa068731247768e6c0
SHA256 10af72e1709bece34705e9b8903d83217a645da841f5868ef1151d742c72575c
SHA512 09640c3dc9c207d977d3492540a6532de97dd00a2ecd359042922021022611fad7e96c79b5c4da5b3f55d6789a384e5ed462b37f56aec728ca86ade940b9d9bb

/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

MD5 8948db9613f2e38613b46632a19b9d3f
SHA1 93267c031f65423e4f590667ae2a87535938120f
SHA256 5cdc2336d5c98e5f26f16ec19d7f875e0e8fd9b05c0f91c1eaefa040790be405
SHA512 2e5c742047649a199d96055ab9e036d5de1bc062f61082536ec31562fa8b924c80725ffe3069c034417a8d3e5fff651d25b6de67581f23f4463ca5ea2c140a4c

/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

MD5 cfb34194807f3ffb4894f21fed9fe8df
SHA1 85ccd76d3f90dc37ef1d6a12a592725b9c08a3b8
SHA256 dc79fe835fcf87b7549ac799521287001ffcccab4719dbd924591ee40ac40e3a
SHA512 a750ee8b8f04cacf61158ce76ac47d49deab7fd8c5c99758dff8d99bef62a4955f534a1c4b3629d24358404a810a1cd77690b1c496c69c1d973177c4234a6a45

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 22:06

Reported

2024-07-18 22:19

Platform

android-x64-20240624-en

Max time kernel

15s

Max time network

162s

Command Line

com.kcyhit.tjdedz

Signatures

Anubis banker

banker trojan infostealer anubis

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.kcyhit.tjdedz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

MD5 ad0b831361de0aa3ef9f15004bf8f574
SHA1 869f3107c20842e3e7897baa068731247768e6c0
SHA256 10af72e1709bece34705e9b8903d83217a645da841f5868ef1151d742c72575c
SHA512 09640c3dc9c207d977d3492540a6532de97dd00a2ecd359042922021022611fad7e96c79b5c4da5b3f55d6789a384e5ed462b37f56aec728ca86ade940b9d9bb

/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

MD5 8948db9613f2e38613b46632a19b9d3f
SHA1 93267c031f65423e4f590667ae2a87535938120f
SHA256 5cdc2336d5c98e5f26f16ec19d7f875e0e8fd9b05c0f91c1eaefa040790be405
SHA512 2e5c742047649a199d96055ab9e036d5de1bc062f61082536ec31562fa8b924c80725ffe3069c034417a8d3e5fff651d25b6de67581f23f4463ca5ea2c140a4c

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-18 22:06

Reported

2024-07-18 22:16

Platform

android-x64-arm64-20240624-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A