anubis | 0e79e23927bd675d2e878237f2d82032fe15e0e53418239d207aaef489819455

Analysis

max time kernel
124s
max time network
144s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
02/09/2024, 22:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e79e23927bd675d2e878237f2d82032fe15e0e53418239d207aaef489819455.apk
Size

4.3MB
MD5

3c9fd2fe7cfacfb798faeeb28a504657
SHA1

3a270ec00a4cf1492cbb5ccc7b4e5d51c0d6b327
SHA256

0e79e23927bd675d2e878237f2d82032fe15e0e53418239d207aaef489819455
SHA512

8c956afb08e397a010a6626882f252ed451b8fc587b2d59525899677f30c646edabc34f2785763d9f3061be07953a4129c0bad6972c8fd20891bf4ee25e4af44
SSDEEP

98304:KDbUwE0hl6O9UShq4P4PA/FOTBPG8578ndkG:sUkl9USpPdFOTBPMH

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4254	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4254	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4289	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=41 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4254	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

Reads the content of the calendar entry data. 1 TTPs 1 IoCs

collection

Calendar Entries

T1636.001

description	ioc	Process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

Reads the content of the call log. 1 TTPs 1 IoCs

collection

Call Log

T1636.002

description	ioc	Process
URI accessed for read	content://call_log/calls	com.tencent.mm

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tencent.mm

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4254
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=41 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4289

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
5bf990ee9c464573e2a580a10caf5a0f

SHA1
3e9800e1144c1462381bde44d3b74199ff3c66c8

SHA256
641e5c047fed322071577bddb70784103f11b89914a1e9d1af2a7a4575aa29f7

SHA512
0dcbdee94fee733a874fca7443b3eba648a33b1643879679a6247880f3ddc9b07649566e32084c39123e575d77aefcf9e59ecc55810be319f8e151719e23400d

Download Submit
/data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof

Filesize
571B

MD5
3f852672d6e3321786ac9c72ae951b8b

SHA1
07377928870469a48a43baccd2b4a0a8da108459

SHA256
cd25e4aa182c72377e03cec2744dfbe7d4a766192f683cc44432ac3e86792b9c

SHA512
64b5f1f9695760ada2836b4aad18a9c4c4e2272336408ce0d6a441fa0ecbb52e004fbfbb04861c048c9e4244a2749d2c89c0520844b12590c4df240313f74f50

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
348423edf82bab9876d52b7861e7faaf

SHA1
140e3b3cd11c0f57677cde8fde13ab84b8cc2f69

SHA256
dab77e4b1c5901f594893d98807e1fabf40bfca6e8e2614a56c8eb872b3a11eb

SHA512
c4559d557f0031c69bd93477e9e0254a8ff382bc6d527de4a2bbca9060b26b75776a127d4e41b3694657abe08a9a5d3557c5b4c1932df7609a27ee206ace1536

Download Submit
/data/data/com.tencent.mm/databases/Dname-wal

Filesize
60KB

MD5
f0e983c3a2be408590fe9cfaa64e4b4a

SHA1
7253a8ff762a6d22cfe53bb3a4abcb3b55237c70

SHA256
2a894c40c218f950377296d37fd7a4d9ddbd9d6815b52af7b1d724997aae09b2

SHA512
ecf67c9d418ce3b019b074d23a006be2f40f8f2e89fc0e66e552698b7e44d36d2c3ac5f753739149f2f5177d0188e60a49e636248ebd3b72237a882b93b3e678

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
2876e7a4e14c903242f151d279c68080

SHA1
1c4a5069d55104499798783f5f66bba21676bcfa

SHA256
ec2c937e153afe7a8725903f2d76c14443313efb14c8bb77e1e033c1441e8ac7

SHA512
e864594fdf69ca20acd8194341b924fa0b6a9e9559cc20ec3b08263204b85c811ac4981e5b274adda1066435f7ef79c70996c74ab8090ea49cf72a3bd23e7721

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
56KB

MD5
5cfbd99e83430e696e7dda8e6cc672ee

SHA1
3b5c4fe0be3db3ca22cf25b13605902d410299e4

SHA256
12fd3a1f62eb793816a12d4b8edb16057e3bce40c0f5b8caf0be64ac56091455

SHA512
28a98d89a03075af348dec062bc3ac630baf5aaded87b8868ada84a45bd32d87ddb369578cc7959c4125e672d04854a1a9ae38471671c4503cdb42f19348912b

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
3db6dc068ab517bceb0e53f43254bbcc

SHA1
5d2162d7008d6b4f0fcb33aecb31bba4ec60cce6

SHA256
eeac96a838de57963d8444101861e6197a13ccc7e9c0e00d5e59d38b333646b3

SHA512
ea84c8b1f98ffcbb56370cbc7016dd9af037c3a00b391fdba74b52f62d12684025f5c1aa448b15cbdeda082b1e25125e0bd21fa2e36a8bec6c7d6b54dc6dc006

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
c72125c75fe14df48c536dbfb1d93c7f

SHA1
e978432d88ca53f6c66ac6b1bc546e753b09589b

SHA256
11ce61b1336a7023c06af2e04f2feb067241258a6a95d738d25f89c78994759b

SHA512
66b235c2cdfcc98442a372c490d03f0eec190d117007d1d1b16d26fd97407a16ddfd253140a98917f093862a0a44d471f58115e74b5ebc220752b089be75d12a

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
fc467df4735d22b27cb531b499b120a5

SHA1
26e625a472142c882582c5dba70b3843de2ada52

SHA256
35a7e66f5b49b64d6e15440ec7cef7f0099afcfc1d7ad7a51a468acc3fed3b20

SHA512
2f869789a29f82ef97ba41a1836b2ddc167e2f25ba3b3179b3325f6ed881a36ce3780639aaa559ca5c7710034df47d2a4b4bf7db2d0519dedec021797de38c0e

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
0b7ed7a4b2c323870b3eedec8e3a3153

SHA1
9316d7b0263f2f675093c354295af39c92f48ac0

SHA256
6e9fa322589957c653f264ec1ab3c0198bcb2979d7e8edb791c34b3e67dfe237

SHA512
fec0c6099545f8bf3062ef47ed860a0b745d17c47b5e6e69fc1c51b4720125d61dea2776f6b2284cff6653c30fc1a48ca219f004adc4294b4717e2c46c4ec72c

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
281B

MD5
ba5d96f3550228f40c26bcfa742e214f

SHA1
defc7906df37ff847483732d76651b5ef7383b6e

SHA256
317c60c17bc7928e909ccdba4e09dd0ec55b1124547b294c7a25ba258668e074

SHA512
763bfda24adf2837a29cee650a5efec386cfff9c5a447712af554dff5b42ce109e78364f12ffd93c377e5d3587a68fd695f3f40c695e22b05631369ee8984e7b

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
609B

MD5
76d82e703181880bf6656f3292d0d231

SHA1
59ad6e69e23620aa8c27fbeb81b989561add9c09

SHA256
01d3b335a711fa8a9dcf8c090dca5a4db17630f25af1db643ecfb4d7c2ec53f1

SHA512
1717a9d8f1504e26a7199ce6f5f842159204312339de5f4b89515e241937e2e534edc41c37a74291bf33af5eccd3472cc2fcd066a72affc16953364d748ea56c

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
5KB

MD5
b347f6188ee025209e17f01cfa375d5a

SHA1
098682537f524c32d6be1e2a99b6a8a3e1b320d8

SHA256
7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

SHA512
88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
7.8MB

MD5
5f162a504b65875b7752b87b64d10cb4

SHA1
51283d8bb1c9c0e40b150f813e553e0aa97d964d

SHA256
e43100018967cd60b90822026f4650a4d6afa144f8d24e07180dfa26cc4d0ed1

SHA512
f920ccc157e931400413aac063f49388587b79fa6d6fa7f14c4ad95524d65a973ef375c22261b75ce8a8a171c553ab5ba0f7868df5a060a920f13287e9121195

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
267B

MD5
cb0b0c34caf7d1ecdf4b2c506fd566d3

SHA1
80f7d29156890eca87a10ca1b8fdece867d9b7cc

SHA256
a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef

SHA512
a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads