anubis | 6da7455687a088fa36c41dae265a0a47ec1d6e245a980f7a4e5d7dea1c823ad4

Analysis

max time kernel
50s
max time network
187s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
11-08-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da7455687a088fa36c41dae265a0a47ec1d6e245a980f7a4e5d7dea1c823ad4.apk
Size

4.3MB
MD5

14d0c33d315f6a352e949351ad371ab5
SHA1

77fc3f0b5365792735268bd4fef8de56468a12ec
SHA256

6da7455687a088fa36c41dae265a0a47ec1d6e245a980f7a4e5d7dea1c823ad4
SHA512

46aac4e0db1899bc8eaf53981f459a6125ceb3c965c2fbe8f970045039e6238cfd807b4a43120217857c8799965878cb6890cd22b667276e32fa95617e863653
SSDEEP

98304:0EErOH3BDuW/iXTgS1X+nbhwnRjb62/FV4pv5zMT/karG7Q:0kH3BDu78bindb62//4HS/PJ

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 3 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4545 com.tencent.mm
4545 com.tencent.mm
4545 com.tencent.mm

pid	process
4545	com.tencent.mm
4545	com.tencent.mm
4545	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4545	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4545	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex (deleted)	4545	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex (deleted)	4545	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.tencent.mm
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
PID:4545

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
12e509d87e236c935a00f09fa91e5ffd

SHA1
a192c084e896897c10b5d1571f4dbe9be74ed336

SHA256
e73f2e1d8c2733940800d5807a8a035906f0c57428e95aabe44e4945479d15b9

SHA512
a344f2d805b3f2c73eb293f42179ab0c670312874639e8b82cca0ca32342fac865a4afc3f365a261a8cac62abe5c8302049d049dc2c64c6f329ccf08da8aa7e6

Download Submit
/data/user/0/com.tencent.mm/databases/Dname

Filesize
32KB

MD5
1854505a3f6d683ed7eb81612934370c

SHA1
4f710add9a652d2fb92b7ce45589e27bf03f0b2a

SHA256
8100330a266f3027b929ea1bde99440ce4a544c9d9a0abb2ef0d1a73aa4cd9a4

SHA512
104a6e9c840b1fddd22ae579624a549c911abfbb48dc4454d3d231619c41a9abbf22f0dc5362a80c8c8245cc18566661f3645ac48c61259132886d4bf4678962

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
189d6a1fe3adea79856566eb9229ca9b

SHA1
fa72fbc5f56855aa3789b84c51f09d24baa0f7b0

SHA256
f93674f28bce489129b7f1575c402ff736159df03fc2a92b4354521f588a9ec8

SHA512
ebe53d3ab3eff3e5bd4a5fe35378dd46675b57f2afa71389fd8c35cb48bd7266ff1ac9a38910d041e5d841170d7032cf351006310d51a75ac611f254a0bbcc46

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
4d9c237ebeb3f1f7b556e17246a450e1

SHA1
19631fbdeafe7a466db51f604855c6023ac73a5b

SHA256
ab757545919b2b89a36beb3532c8aa89379c862f9fb9e89c14cfebb1c89e5142

SHA512
0a386455b7efcbd7b28dc9e562c4d781bf4fb583c19a01449d93a21f017c479dec017e5f40f99efcd452b9ce035cc3350473f339e6298b5eda8f1bffc90aa5cc

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
52dcd531d4a5100311ffb6ce78e29633

SHA1
4a1440497db69d24281de609d110f43189171bdd

SHA256
8eba4d0c7d9abf058b09a0f1c814dfe3028551aefc449c525cabd469c943d88a

SHA512
c45e8cbe90db18c9d609fb4b5e17dc9878a59f21000777eb0adbc4696fb39e1825a2be8cdec1e71716ef0e0469f2c438f77f9cb58e20e2fb365b426c3f87b114

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
043cb998825549a53d547dc665a90a06

SHA1
484d3462044b1a3ff46beba01f54de08bef4ab47

SHA256
a7522d98a0d6c9c74d150bbe242a8393f61273727ecf3c9a8dce49836f681ead

SHA512
951dd290bf755a695b551acc047cd0b939c79091db349a74dd941b356bf17766dc54eff74ea4495a63cce15cd6a7d698c099381dc2a06393dc49ed08cbbb30f5

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
9bc7b6fcc39fb4ebe85217eaa4a1e4d3

SHA1
408fed5b34cd00c428cf2c1139b0bf0058c80113

SHA256
6afbdfc99651d57c4c863c5efc3504e31f335871847bc5d7a927318675b660df

SHA512
ca9c488bfc2ab6715d46450310658afc62d4401aaa482813654072d521b57d6e746af4d9ab9539ca945ee700505bcf5e976b6dca229e1819f64d5282314b1495

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db

Filesize
16KB

MD5
4e4556252dfada8cf2e0a4d38d710788

SHA1
7a0241c780576bf4a66d7f20e50e3213aaee9ea7

SHA256
13921c0b657c6458c161b0f895ca817e86ba90a9ef7361ac110e9d56b0975621

SHA512
9460299956da4eaa03e0f7f11b92c2b50738baec4ccf1d76164417297bd56b13de2b6f4122af66f6fa362e876b6e40149a54d00bd6ff15f3e8e95a5783711f00

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
70660dadae683f49106f0c9af41a8407

SHA1
0c43cda3ce586cf735b7326a251dfb85c7de1174

SHA256
619830d16e83e63a60f2fe68f6471f9a3981a375a85e0a090f2c286b31aa8efc

SHA512
f3e27ed877c9f0877233e33462f46c352a10ad0e7cfb9a17d41d7d0e1d47aee1d80d212e1f2b256450cb61007318a728746d20d521499a0fa1090acdfe35c184

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
a273736e41360a12a9c55e9eac674aae

SHA1
afe83a8a30139cce6ddf6e3dc377b6d35eedd295

SHA256
b1d2db972c43020e4f6f75e1c8a6db31399b17283c0a2e1c3538838dfd020b59

SHA512
f9d67780abccd97aa887a508bff0ea01dcbf19d8093cd1aac230ce72a91f6ff03176a788461bb8ccdd087e57a7b95499406d55fc03ecf021806e8940d8070dec

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
54e6209d68250ac1d819d0e9f2d9a66c

SHA1
3525fb1aa07bf58de874e6810eb874117629013c

SHA256
f139a1e78f139d197e43f34422578961ba91088ae5fa08064d17f69cd4113520

SHA512
07d50dd5d71ff43696863ce0d7b4dda359cb47a047926f8c7b74cfb3d8395a2dc14edf75b26ac090052b932ebe318d4709af17ba45c1b95a62ea4db174ad91b8

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
4329245f6f299500a018e26ab7e8c294

SHA1
f78e395252af7dfb648afed88ea19882cd407cae

SHA256
7d219f707212f97d1656e2f49aa283a558e4b7e898d0822e752066f6badb1bbd

SHA512
83ebe2cb0e3e438ae1ef9a2c93cd62b36c5baabd465ae274eb6ac74ac8d9689de09522a2c3fdcfcca88eb6aa736904d4a949b83286c1c632684e9e75110035e3

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
56f825cd6230a386da71e66a3e48e8b8

SHA1
da02e255b5b5125d9cc3965a9e29a5891a1d3222

SHA256
4611cc7106900b596bcfab63151d8bd1c680da598449e0bceb0ef9349dc5cc54

SHA512
3e2e46c07384f7430bd86eedc04305ed8ea9b06d6f6730d1d0d36c01ee85812e410395e02d45e0e978461b8c2e11cc95d20c9256964b568aff460de3f27104d4

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
e5b866f01aa96bd9c1179a01bcf2f3c9

SHA1
e047eb66793a7ea9d5d6bfc142c128ab428f16ca

SHA256
0a0a9e7a826cfdc8f42f7b0a48af2e6ee1243f9c35dc92b202ec4c3f7769f39f

SHA512
e4db9c1538cc817be988fd3fd7f20f46af441ff0d0f75324dc7e0897694ad8a503548505768a605019075dc1e725349c0fe79b6e86393fbdca3a2c9fd1535b3d

Download Submit
/data/user/0/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/user/0/com.tencent.mm/files/GP.txt

Filesize
108B

MD5
cab93673721fb0b7efbbf66c4ead50d7

SHA1
0cd7f101485eb2dff9e7bbae7200fa71078f19a9

SHA256
523f47214b39efc1f0ca0a615b6cc078cf69b9f697b28441b720116faaaf3273

SHA512
9e9123c0e6f496f3fd89d8e0c36ccf97fe1eea3ad156864917cb4e2bb87f0f8f967a93ecb564e17a854a6d604fe0462550fb7ad0a63ff5f8efb93954189f2c27

Download Submit
/data/user/0/com.tencent.mm/files/GP.txt

Filesize
108B

MD5
d3f1390040375e8d2e89de55909a851b

SHA1
63ec911c106e2b8fc8e2b62b48eea5c439dd0253

SHA256
61a48bf9f9d0bf68d56d29ab5db53e9a258d693668b202288a1c23cb4064df8e

SHA512
437d2eb76f7fd8ec6554827f882c3050e7b7d488870106e4f0f5431d9be8b5295822a9415c3e2afa136a481c2f52d42a028b564adb3d6fe122699be88c3ced15

Download Submit
/data/user/0/com.tencent.mm/files/GP.txt

Filesize
114B

MD5
41aa38eaea60e58d57bc417226769bb2

SHA1
d46bb8aa01052d375e48387e052ce24c40bf17ec

SHA256
fb7d0a1de5bd34f38306930ca23805a270cc45242428987b4da435b27b675566

SHA512
03e1c1f6b13a10ab594338977a9d29f98b32190f1c7271da2be33b67ed203ad7a357abb82eab9818e7d59ef068d81161a1d98a27b16dcd2679f190eda6931eaa

Download Submit
/data/user/0/com.tencent.mm/files/Tree.txt

Filesize
566B

MD5
5ed6b9dada6553128e25dcffb903b555

SHA1
4e1a35a60f07d10712b4775c0696354a3a4be9d4

SHA256
9da9620654b39315e499d54cffba3efd38d2086d2a1bd3ee1cf3b007835bf8ec

SHA512
02afcce4d1c0d2781f415ef407008cd0a50bf5bf2a23bf78b7f9ce3ef19125788f291029377ae4590258f4e5e73ddf490c6417e179bae0cd3c680b9b9d497fd2

Download Submit
/data/user/0/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/user/0/com.tencent.mm/files/netinfo.txt

Filesize
854B

MD5
ba0a5c47033e7de527ab732a64a347db

SHA1
6a8f93e2cde0010d47c83b0cf2b363a8173c24f6

SHA256
60ced0895e0d3e8c3a105c49443b9449a55ec7a0ede735ea13c90c3bc26dbcdb

SHA512
fac3bdbe602b6305dde5ad570e7cf8e30d7b5c71251e648b4678435a4081bbfabc82156499a7ce8df227e40f428e63dc847ded5d542b3fe42f424509db555141

Download Submit
/data/user/0/com.tencent.mm/files/pkinfo.txt

Filesize
10KB

MD5
df036b93426f886d1696210079b94938

SHA1
b593b3806d3d85257511959992013f6a4f543011

SHA256
6d9bb455edd9154e310a777aad0dde552ff995134e2321933a0365f9112c3912

SHA512
0d7eb6c0e5378a362a4bbebbc09f291080975c8ece8473d28c9cc9ec5b4a138f2fe19b09bc5d44cf17ec66a4f59dadb1de59ac8286cdc10a461e46491da01e29

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-11.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-11.txt

Filesize
267B

MD5
ca83936d0c0ffdb4a991046e32ccc956

SHA1
6d34827e6fd5b8f716cc5f7d7843b581713aeab3

SHA256
b50da55ec1fcb8d0589b49d5b3dfef915d77f3dbb24416bb1305441f81c507d2

SHA512
61bb1d4d033b0ddfa7ae802d5732c00af6db3aa5bcfbda0c60a0f12bd9fbbbd03123990c55d5abbd3d6e967471101b82e409f1620a73a3cf8c627452f61440d4

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-11.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit