Overview

overview

10

Static

static

6

0e79e23927...55.apk

android-9-x86

10

0e79e23927...55.apk

android-10-x64

1

0e79e23927...55.apk

android-11-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    144s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    02-09-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e79e23927bd675d2e878237f2d82032fe15e0e53418239d207aaef489819455.apk

  • Size

    4.3MB

  • MD5

    3c9fd2fe7cfacfb798faeeb28a504657

  • SHA1

    3a270ec00a4cf1492cbb5ccc7b4e5d51c0d6b327

  • SHA256

    0e79e23927bd675d2e878237f2d82032fe15e0e53418239d207aaef489819455

  • SHA512

    8c956afb08e397a010a6626882f252ed451b8fc587b2d59525899677f30c646edabc34f2785763d9f3061be07953a4129c0bad6972c8fd20891bf4ee25e4af44

  • SSDEEP

    98304:KDbUwE0hl6O9UShq4P4PA/FOTBPG8578ndkG:sUkl9USpPdFOTBPMH

Score
10/10
anubisbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

anubis

C2

https://google.com

Signatures

  • Anubis banker

    Android banker that uses overlays.

    bankertrojaninfostealeranubis
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the calendar entry data. 1 TTPs 1 IoCs
    collection
  • Reads the content of the call log. 1 TTPs 1 IoCs
    collection
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

    collectiondiscoveryevasion
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Reads the content of the calendar entry data.
    • Reads the content of the call log.
    • Requests cell location
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4254
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=41 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4289

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Execution Guardrails

1
T1627

Geofencing

1
T1627.001

Foreground Persistence

1
T1541

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Location Tracking

1
T1430

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

2
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Location Tracking

1
T1430

Protected User Data

3
T1636

Calendar Entries

1
T1636.001

Call Log

1
T1636.002

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tencent.mm/app_mph_dex/classes.dex
    Filesize

    7.8MB

    MD5

    5bf990ee9c464573e2a580a10caf5a0f

    SHA1

    3e9800e1144c1462381bde44d3b74199ff3c66c8

    SHA256

    641e5c047fed322071577bddb70784103f11b89914a1e9d1af2a7a4575aa29f7

    SHA512

    0dcbdee94fee733a874fca7443b3eba648a33b1643879679a6247880f3ddc9b07649566e32084c39123e575d77aefcf9e59ecc55810be319f8e151719e23400d

    Download Submit

  • /data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    571B

    MD5

    3f852672d6e3321786ac9c72ae951b8b

    SHA1

    07377928870469a48a43baccd2b4a0a8da108459

    SHA256

    cd25e4aa182c72377e03cec2744dfbe7d4a766192f683cc44432ac3e86792b9c

    SHA512

    64b5f1f9695760ada2836b4aad18a9c4c4e2272336408ce0d6a441fa0ecbb52e004fbfbb04861c048c9e4244a2749d2c89c0520844b12590c4df240313f74f50

    Download Submit

  • /data/data/com.tencent.mm/databases/Dname-journal
    Filesize

    512B

    MD5

    348423edf82bab9876d52b7861e7faaf

    SHA1

    140e3b3cd11c0f57677cde8fde13ab84b8cc2f69

    SHA256

    dab77e4b1c5901f594893d98807e1fabf40bfca6e8e2614a56c8eb872b3a11eb

    SHA512

    c4559d557f0031c69bd93477e9e0254a8ff382bc6d527de4a2bbca9060b26b75776a127d4e41b3694657abe08a9a5d3557c5b4c1932df7609a27ee206ace1536

    Download Submit

  • /data/data/com.tencent.mm/databases/Dname-wal
    Filesize

    60KB

    MD5

    f0e983c3a2be408590fe9cfaa64e4b4a

    SHA1

    7253a8ff762a6d22cfe53bb3a4abcb3b55237c70

    SHA256

    2a894c40c218f950377296d37fd7a4d9ddbd9d6815b52af7b1d724997aae09b2

    SHA512

    ecf67c9d418ce3b019b074d23a006be2f40f8f2e89fc0e66e552698b7e44d36d2c3ac5f753739149f2f5177d0188e60a49e636248ebd3b72237a882b93b3e678

    Download Submit

  • /data/data/com.tencent.mm/databases/evernote_jobs.db
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.tencent.mm/databases/evernote_jobs.db-journal
    Filesize

    512B

    MD5

    2876e7a4e14c903242f151d279c68080

    SHA1

    1c4a5069d55104499798783f5f66bba21676bcfa

    SHA256

    ec2c937e153afe7a8725903f2d76c14443313efb14c8bb77e1e033c1441e8ac7

    SHA512

    e864594fdf69ca20acd8194341b924fa0b6a9e9559cc20ec3b08263204b85c811ac4981e5b274adda1066435f7ef79c70996c74ab8090ea49cf72a3bd23e7721

    Download Submit

  • /data/data/com.tencent.mm/databases/evernote_jobs.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.tencent.mm/databases/evernote_jobs.db-wal
    Filesize

    56KB

    MD5

    5cfbd99e83430e696e7dda8e6cc672ee

    SHA1

    3b5c4fe0be3db3ca22cf25b13605902d410299e4

    SHA256

    12fd3a1f62eb793816a12d4b8edb16057e3bce40c0f5b8caf0be64ac56091455

    SHA512

    28a98d89a03075af348dec062bc3ac630baf5aaded87b8868ada84a45bd32d87ddb369578cc7959c4125e672d04854a1a9ae38471671c4503cdb42f19348912b

    Download Submit

  • /data/data/com.tencent.mm/files/CallLogs.txt
    Filesize

    3B

    MD5

    58e0494c51d30eb3494f7c9198986bb9

    SHA1

    cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

    SHA256

    37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

    SHA512

    b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

    Download Submit

  • /data/data/com.tencent.mm/files/GP.txt
    Filesize

    116B

    MD5

    3db6dc068ab517bceb0e53f43254bbcc

    SHA1

    5d2162d7008d6b4f0fcb33aecb31bba4ec60cce6

    SHA256

    eeac96a838de57963d8444101861e6197a13ccc7e9c0e00d5e59d38b333646b3

    SHA512

    ea84c8b1f98ffcbb56370cbc7016dd9af037c3a00b391fdba74b52f62d12684025f5c1aa448b15cbdeda082b1e25125e0bd21fa2e36a8bec6c7d6b54dc6dc006

    Download Submit

  • /data/data/com.tencent.mm/files/GP.txt
    Filesize

    126B

    MD5

    c72125c75fe14df48c536dbfb1d93c7f

    SHA1

    e978432d88ca53f6c66ac6b1bc546e753b09589b

    SHA256

    11ce61b1336a7023c06af2e04f2feb067241258a6a95d738d25f89c78994759b

    SHA512

    66b235c2cdfcc98442a372c490d03f0eec190d117007d1d1b16d26fd97407a16ddfd253140a98917f093862a0a44d471f58115e74b5ebc220752b089be75d12a

    Download Submit

  • /data/data/com.tencent.mm/files/GP.txt
    Filesize

    116B

    MD5

    fc467df4735d22b27cb531b499b120a5

    SHA1

    26e625a472142c882582c5dba70b3843de2ada52

    SHA256

    35a7e66f5b49b64d6e15440ec7cef7f0099afcfc1d7ad7a51a468acc3fed3b20

    SHA512

    2f869789a29f82ef97ba41a1836b2ddc167e2f25ba3b3179b3325f6ed881a36ce3780639aaa559ca5c7710034df47d2a4b4bf7db2d0519dedec021797de38c0e

    Download Submit

  • /data/data/com.tencent.mm/files/GP.txt
    Filesize

    126B

    MD5

    0b7ed7a4b2c323870b3eedec8e3a3153

    SHA1

    9316d7b0263f2f675093c354295af39c92f48ac0

    SHA256

    6e9fa322589957c653f264ec1ab3c0198bcb2979d7e8edb791c34b3e67dfe237

    SHA512

    fec0c6099545f8bf3062ef47ed860a0b745d17c47b5e6e69fc1c51b4720125d61dea2776f6b2284cff6653c30fc1a48ca219f004adc4294b4717e2c46c4ec72c

    Download Submit

  • /data/data/com.tencent.mm/files/Tree.txt
    Filesize

    281B

    MD5

    ba5d96f3550228f40c26bcfa742e214f

    SHA1

    defc7906df37ff847483732d76651b5ef7383b6e

    SHA256

    317c60c17bc7928e909ccdba4e09dd0ec55b1124547b294c7a25ba258668e074

    SHA512

    763bfda24adf2837a29cee650a5efec386cfff9c5a447712af554dff5b42ce109e78364f12ffd93c377e5d3587a68fd695f3f40c695e22b05631369ee8984e7b

    Download Submit

  • /data/data/com.tencent.mm/files/accounts.txt
    Filesize

    2B

    MD5

    d751713988987e9331980363e24189ce

    SHA1

    97d170e1550eee4afc0af065b78cda302a97674c

    SHA256

    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

    SHA512

    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    Download Submit

  • /data/data/com.tencent.mm/files/netinfo.txt
    Filesize

    609B

    MD5

    76d82e703181880bf6656f3292d0d231

    SHA1

    59ad6e69e23620aa8c27fbeb81b989561add9c09

    SHA256

    01d3b335a711fa8a9dcf8c090dca5a4db17630f25af1db643ecfb4d7c2ec53f1

    SHA512

    1717a9d8f1504e26a7199ce6f5f842159204312339de5f4b89515e241937e2e534edc41c37a74291bf33af5eccd3472cc2fcd066a72affc16953364d748ea56c

    Download Submit

  • /data/data/com.tencent.mm/files/pkinfo.txt
    Filesize

    5KB

    MD5

    b347f6188ee025209e17f01cfa375d5a

    SHA1

    098682537f524c32d6be1e2a99b6a8a3e1b320d8

    SHA256

    7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

    SHA512

    88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

    Download Submit

  • /data/user/0/com.tencent.mm/app_mph_dex/classes.dex
    Filesize

    7.8MB

    MD5

    5f162a504b65875b7752b87b64d10cb4

    SHA1

    51283d8bb1c9c0e40b150f813e553e0aa97d964d

    SHA256

    e43100018967cd60b90822026f4650a4d6afa144f8d24e07180dfa26cc4d0ed1

    SHA512

    f920ccc157e931400413aac063f49388587b79fa6d6fa7f14c4ad95524d65a973ef375c22261b75ce8a8a171c553ab5ba0f7868df5a060a920f13287e9121195

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt
    Filesize

    12B

    MD5

    a9256f55737b655c8cff95418411997c

    SHA1

    d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

    SHA256

    bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

    SHA512

    10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt
    Filesize

    12B

    MD5

    e48057c3603c907cacbe1568a7dbfc41

    SHA1

    6e100086b53e20e499a9be069aa1b452faf82ba3

    SHA256

    4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

    SHA512

    787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt
    Filesize

    267B

    MD5

    cb0b0c34caf7d1ecdf4b2c506fd566d3

    SHA1

    80f7d29156890eca87a10ca1b8fdece867d9b7cc

    SHA256

    a8012788df8b83994d196fc55884affe5ccbcc27de5550959b57cec030d3c1ef

    SHA512

    a6d462191b37097a75d0c0a9328e94232981d69ee610ec9fd011bbf636bebeff6bc9a51d8a3936474c1295dab0a7257ee1122c41f926f090e7f2428c2626f484

    Download Submit