anubis | 52f03644950eb5ec39f4fdcf7384dad0b84dc5dc75d4c225a6822a3b647c2a58

Analysis

max time kernel
119s
max time network
168s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
07-08-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52f03644950eb5ec39f4fdcf7384dad0b84dc5dc75d4c225a6822a3b647c2a58.apk
Size

4.3MB
MD5

735cba76a1319715acdf7385a0186f64
SHA1

e4cb87c15fe7070e3898b537916ab3b904e03d40
SHA256

52f03644950eb5ec39f4fdcf7384dad0b84dc5dc75d4c225a6822a3b647c2a58
SHA512

d70f33fdb3184ffecb3c1b0f090e20b5b275fded4efd4386454a8cfd94ed6d359f50301658f82bc0bd4eeecd3b15db0ddb4a5c3b91564993c001a0d66df33d69
SSDEEP

98304:h9Eh3VRT6zJ+UUosOmFH+cRwY34wRrG7O:h+BUYFHgIBB

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4263 com.tencent.mm

pid	process
4263	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4263	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4292	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4263	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4263
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4292

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
052892819885e86c1833e086f8aa97a6

SHA1
579d1f18ba1a0f6720e8afeb4edf9f489a46cd50

SHA256
707cf6199c00291766834e1535ec7e6676c62094dfde1905bb395bf5c6dcd3a6

SHA512
38bbd94641c974c38fed1ec82cedc9523ee8bc3fe8f90ababa2420a3902687bd01b91df579e82e9f47421302f888655018c7c9c0ae9f67f5e5442844d0482875

Download Submit
/data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof

Filesize
580B

MD5
12da462c6446f22e2ff4544586b5ec82

SHA1
dabbcd8804f1d9c915a1f195559a3931c0d1e860

SHA256
5cefdd42a32bfd331cf820280bd39c8ef20d97a8d487c4dc741631229bd3c390

SHA512
0808b67b0badb1b59813417859c55d67a1597d2f824460f8989f211f0392ade2b1538841d75fd11aaa355849479f22692d064fe02b44e2fcf23818a499aa3a6a

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
e30cc7f10d248e5ec8ecf5c75859effa

SHA1
2b37dac417b6404a82f7fd396badb6a8912ec1b1

SHA256
03ef4b5ffe1616844a109fc9e2e60ad68375b7f8483d78e9893294a27ec332fd

SHA512
9c818a24888a0873e179eb8cfed0c993ef474622a1a31a2177cbf32d6b98bf65cdd58e492a015d119914f2dfb9d4ede27cb7cd2249cdc4f5ba47bdaab889a3dd

Download Submit
/data/data/com.tencent.mm/databases/Dname-wal

Filesize
60KB

MD5
f7cb29c4a3719350d9aabafd4360caf2

SHA1
5481e646b79a3efa2524e9b911b581d3e25aafe8

SHA256
d7c73b785021417972a6930789056adb87f511dbfa465efc0082392f18684bfe

SHA512
5a0ac8cff7ef9c8dd0486341a0ef68d1053e749873aa030c15ff0f89e81adbbfc7f08fb1bc8054e9e0cd93d199dc53dc980b16e34d2f66231d9e78e07af58172

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
71f55a7f290a0cbc21a56eb6c4e26b55

SHA1
cbe5be3178a28870f88b89083e4a823658c58b5e

SHA256
5300513572a72f48ef6628ba68ad806d652c970883c95c352fca23b04fd77041

SHA512
d0fbb46043e43744f12a7d83161c6ec501ef447d423017f1cc8ee47cb374a50b7b8ea520dd3d9ea68411621234a26802ffc224f285aadd73cce760a177a4daa0

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
44KB

MD5
c0bf6a5e602d3560fef4d95243525915

SHA1
30e135e5f080a600ac151865b1eb3dc5e834fc9f

SHA256
f14667e3022ea2f685207e71a7ed4ff535f8538bbc361200c01e30cbe3498547

SHA512
a24a462bada363a959dac3c9fc9a121b544def7325c98fd333e1738e16a57c6066d1d2c274222551416597b245e997c420622be43a648182d5e38862c52633de

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
ed029e45465c11182d8bb07bf8cdacbb

SHA1
137544abfa58ad3c33a44b9a77bd510ef820c629

SHA256
4d461ad83cb0de095c200ed13700594f48c42d3bf84a91dca1aa6da9ba488861

SHA512
196c6ecf6686b188ea7c90385844660a7935e5eb15f14e9ec5eccd441feeaeda7733fc0fed7329173d58dd070de4ab2546127bfdbb3f05532ccf1f3a86815ccb

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
85672edb2b3586f4db9533cfe23d8208

SHA1
29e99e525d8a8c11044157ad512c4070410d5c07

SHA256
1a0c8673b91f9f67e76cde9dd579341ca6f2bc921e5fd32360791f713e6dac5a

SHA512
a8a6f6874ca6e9bd67c8925e8c01ab81ba2fdbbd3222cc26796e5b7dfc65a80fb83d648204c05e64cb45f5a70b1d953c8f943ca8a47ba74cc7c501785abfe454

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
1a0c7bf472da1370e94f62d60afe6290

SHA1
61455edca702f6cd9c6d3611bb955405ebf65cbf

SHA256
271b112418481720280b2151fc78b0d19ac3e55b830eb04444bc35608b6a8ee7

SHA512
a864267c29850a16c8b81834603886047dff54043d06156450bdcae457b2430fe17613a3d64dfc13751f948684e967742b1d53bdbd42c3e89df212c55b254032

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
8440cceed036300bab9d7ce759dec92a

SHA1
275e26ee4b7015147bfa9c4a4cb99623acd4b7c0

SHA256
c1042a6fe97dd340955605016e716cc08534ae7d82e5f48ddb0e93c95a67b83e

SHA512
24c75931ca8c0cca2cef231da48b749ae45efa9437262ec9e6ebf22978aba2f2e23dc636e244475adbbe98f9f436c87d7484352f212f094bccbc49b57db84978

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
281B

MD5
abbfac4f0d31c82830f82d107f60c0ce

SHA1
71c9e652bb8ff7d3d719471678486a1edadd050e

SHA256
abe52d9137035060e610d1633bee269ab8a19620df3cbd80ca40d822ea090a57

SHA512
5c8359f69fa0670441123fc7eda0b077d4da4493c9df3f26543c91ed7e69e0bcaee06ada0873ca3d6968ec92bad9d3d207d99d0539335812c9ac657b93b3d8db

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
609B

MD5
29d8025a9e9a8f245ef9d95b87b7907a

SHA1
42a63c24e50eb68ac344d5b25a95f946616ee112

SHA256
fce2ba61485c2f40f7c8db647442c88efec5f0a4e47776b81fe71ee85ac8b307

SHA512
370d21d10df40cf84018230d825b4deb06dcad53adbe9562ecd8833541c58baee1044e1e9ac710400ff5afa22af83a76bba9bfd57134afdfe3f49e577f62e31a

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
5KB

MD5
b347f6188ee025209e17f01cfa375d5a

SHA1
098682537f524c32d6be1e2a99b6a8a3e1b320d8

SHA256
7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

SHA512
88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
f866832a60ac0382240bbabd3d20985d

SHA1
b16ad43ba38050a8b5f18436c89ffc0dc76783d5

SHA256
f201447be2e400e03a318b879c09cc1375b2679d4804f027394dd904e45e8afe

SHA512
7254d519b5e5471586ea64dfddef6e65f2d763912490281dd2c3331dce5648e778472c08d312ba69efc7449bc6fe912579c96d1fe3863968b6b798f93b3531e5

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-07.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-07.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-07.txt

Filesize
267B

MD5
cb0b0c34caf7d1ecdf4b2c506fd566d3

SHA1
80f7d29156890eca87a10ca1b8fdece867d9b7cc

SHA256
a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef

SHA512
a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484

Download Submit