anubis | d2cc71f8892b070b6505379b5a7e4fda802a701c8c36369fadbab995f4d5a811

Analysis

max time kernel
120s
max time network
182s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
20-08-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2cc71f8892b070b6505379b5a7e4fda802a701c8c36369fadbab995f4d5a811.apk
Size

4.3MB
MD5

792f4385bdfde90e59c7673b141439c2
SHA1

685b47a9b0224c52f7a6f94b1576a3a55a59b93f
SHA256

d2cc71f8892b070b6505379b5a7e4fda802a701c8c36369fadbab995f4d5a811
SHA512

43673e059244ee872484556340d6e19608dd312965de6d98d5fb8c3d82b7ce2aa29090cd77529240c369386b80a13ea9c405a6bb0dcc3db8e0c75373144028f6
SSDEEP

98304:gKE8ZJcovFzt3q2LnG2QRRaxSX0pV4DB+Q56XfSxrG7v:gcZ2aFzN5L2axMoF6hU

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4267 com.tencent.mm

pid	process
4267	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4267	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4302	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4267	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4267
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4302

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
cf76aa9b507b66afe99c433f641b0fca

SHA1
87cc62d9eecd9fa93a9cc0cfa3517340ba83a6f9

SHA256
296ca795f754a9b936b7369767c6eb12e84533e62dc8c0d0d766f48c36bfff3f

SHA512
03ea7220a1e10d4e29fc65fe0100fa5db228a74b84280c0d3903e1b938a927161a46be11a5820e2cb742145f1fa941a2ba1113e24c586341c7a25c4a2dfa3dc5

Download Submit
/data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof

Filesize
584B

MD5
77c7d3eb525ad30676e2ebcfaf182e9d

SHA1
618bf3518f4603ad050e480899537d3b5a359c54

SHA256
1a24728c219a9dc2673eb244920eacd2caaf2e3de80a9eec4c8431866edc9629

SHA512
3ae79275a4cb95fca146700254969ef1f32541f8fa1e875ff12ec96c89b3db0aa1d6d086801874001309cbc1f5e8f56af090529d48a9fea07acc4416e34a9de4

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
204276c144b54a9522908a7c03c0c3e4

SHA1
d94d1fabc899afcef76b8561cb0f99de873a6639

SHA256
110185939274feb38946cf165fb71698155ab7ade932ec813b300501d49248f3

SHA512
f631e9126196f4be18bb6323ba3d544c6183155333cfede2104ae0cc19a49566fd1ccd8f11f61357de498b5672cf4069fbd83b92177c45baa489c7b1514c6177

Download Submit
/data/data/com.tencent.mm/databases/Dname-wal

Filesize
60KB

MD5
3d21038e980eff9f3e2ce49907254b32

SHA1
3dce01e4722c0c6c43d2678d6ae9721d67c835eb

SHA256
1632a441e1b89aad7442fffc52a8d736ddd56339a2a809258cf9995d64fe9c5d

SHA512
feb51222c300160cda2f88cd1e5efc89a792a2c75ae0dc19d9567629db8bde20aa591002011635871183730139a16df251359c6f035892e085245cc16bbdbf8a

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
29a6651fa0b7df2f414a57e4742527d7

SHA1
cb1b34db6df0ee3819fd3c11690430d825eab80d

SHA256
fdabec377dfdd5f0cee49921c5a17866daf2fd1ef33fda22fa852542a093afdd

SHA512
3d68ef14f503bda9f4fb9e6e2c9612ec721859978fb745b4de554dcceec6aa7891532bf3011df2637b44e5e10a1ac6e17b29f40ddc977176bdf0437afe38a23c

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
44KB

MD5
8e950c19a6ec6531143605427b034b2d

SHA1
03bbc1010397d1204163520a69b1e0b63bf84244

SHA256
bd8c97bbd13da9a97bf746441653f69d72efa39c67ecd26341992583bc7f622e

SHA512
6071e56c42f8b489f8b57e21820dda20458353006aec194053439e6bc23c66af395a709e2d1464782ba083b14f952bbedbf8ac412c9629285a81c903dcd989f1

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
acfd013804b57db782e9dd13391d117c

SHA1
ed5b6a1e8086c031003c38030164fcd0a0e006b3

SHA256
d912be16d61542a4caf5827c1346926fb56dee229c3202a986b649210eeee978

SHA512
a9f11a4883bc63219c1269bea6ed88314ad14a4e59f800b35aa63a794ce00efd31b9270e36339f4c9279cdd1044d33ce3114b6f6efd816cc4d5b41aeda26360c

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
1bbe1065910899a146cf6e471f9fd5f1

SHA1
fac2d030f2acf9c83207036feab99cd8c7cc663f

SHA256
dc3c733c2458b7167a175866447079fa9410ad3e342e31b6f1f7f4383be6da11

SHA512
62b3ff0f4e6aefc1d3b2b4a38f59346116df5fbd5b7edfe0e2d67817301cb6fadcca32a4a10b0fb1b7f2a4e3d408b81404ac09a43ba863e4fb93d79e569ec14f

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
3333409d4e64716af63a5c8f97ad1e7c

SHA1
bcffd9fee547040f0b51b07d9906681eb87d3182

SHA256
146748116c790bc15fec6c0fce39fc5bbf51ac804bfc9f8a5218136da7551363

SHA512
18ac531ed56e9d2c05d200b6d46f3aa106277a2488db68855ba72b27368a4ef19594e63abf39ad1543ad03334ffd32cfd6b0f1d47360ccac8ea96754cfae4611

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
312bf1f5a3dd2f0339d7e8813125fabf

SHA1
79ee837d04f7e2a113d5f119e5b8a12f53378774

SHA256
ab36e6c553c060b0da162290a0db3b571211681811d0af8d575c66c83702976d

SHA512
306b907def5397de18d0436a1e533354f3a99225378b485cabdb9fd1503452263f0052c3fd7af3b703c0eb8c99472b778072c1d90bf04cad9790b9c6d37fb423

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
281B

MD5
1a46cb871de0fd5e9f8d0f017d30ca97

SHA1
8136d99436ed3767402ed8e5ef26b307597ed399

SHA256
a80442db42bdfd8b98f682656f93af5382f9881a38ad0af140adf55e981b69c4

SHA512
7c28a23ee66fe18b2548c7c5ac8abb1254617455fdc8dee06e85b0feff91b1ed6c3db7a73846da8be886b8a15adbf0b44a0a0f197251851212fdfca5d05678e0

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
609B

MD5
3ab1c70d62d68959ec8e5d10c5cc1db6

SHA1
db2b3eecfd5df7ce0f0a56bc5e7944aa0f063b5e

SHA256
276b07d5326c717205ebaccd83641af72c269888f5928ed1b1150a171bf229c3

SHA512
7aab0ac487b25b42c5ee312dc1df975d349e5a485a1f38748896fff554eaf0d2a28c9a40ba1e27e8416a6d2cac7c0ce23aa3c682d4b7c46b59ccf20e6c8a5ad1

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
5KB

MD5
b347f6188ee025209e17f01cfa375d5a

SHA1
098682537f524c32d6be1e2a99b6a8a3e1b320d8

SHA256
7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

SHA512
88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
bab6945e5a9bcab7018047cccf95e935

SHA1
d60480af648243733a9b77b121aa0be8b4feaba6

SHA256
8a84da78f39b75d678d68678d0838b17e4eb626d2909fc4ea55fe9ff958c0fa4

SHA512
08293f48fcaf749b5a2161417d1e8b503783445e941162d6a87f2a70d538a4c8fb362d03f512ee13d4a2ab0e1b26ae6a6de03f15e1fa731f87efa14228bd308a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-20.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-20.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-08-20.txt

Filesize
267B

MD5
cb0b0c34caf7d1ecdf4b2c506fd566d3

SHA1
80f7d29156890eca87a10ca1b8fdece867d9b7cc

SHA256
a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef

SHA512
a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484

Download Submit