anubis | 98051f1bed4b9922908522842ca65e92099725c2dac44b78316caaf525ae4491

Resubmissions

16-09-2024 13:32

240916-qs14qazdnh 10

16-09-2024 13:26

240916-qpxbcszepn 6

Analysis

max time kernel
101s
max time network
146s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-09-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Indian Girls Viral Video.apk
Size

4.3MB
MD5

31c7c2c645b8d568ffe4ae757fb7bcec
SHA1

790db635892710108f5352c9088ac88a578ac716
SHA256

98051f1bed4b9922908522842ca65e92099725c2dac44b78316caaf525ae4491
SHA512

0ff6239a13d3f473f2cc3a4dfa1c0b15fffd385cff13fce887e18b6399beaa0d47b1e12069f185f4336324a1307594264878aee60a1d01c63e95f8303ac99408
SSDEEP

98304:qfYMQWkZNz2GKsglGc+vx0lTeHuCUXW+cs/Re6EDPX7:6eFLppgcc+vKlTZGDs/Re6ED/7

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4250 com.tencent.mm

pid	process
4250	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4250	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4281	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4250	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4250
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4281

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
302e71be0e6d47632c3769c72da585b7

SHA1
124f1bb806acff41157abef543a838ff0ce53b07

SHA256
66fbdef34021b43ecf328360a6e50ed2fd2fb6c2d568e15775027234649c1a6e

SHA512
8743061a172d844b0d397930c17c4153df4a895cfe2845d58fea3fcde4ce66aa94d1ba1d5a0ae4859772b57b7fb4c777cfa4c2681c3309ceff450cec234ce7b1

Download Submit
/data/data/com.tencent.mm/app_mph_dex/oat/classes.dex.cur.prof

Filesize
578B

MD5
1afec552331193c782ca67b2eea58ca0

SHA1
005188e44de8043945942172029669dc25c665b8

SHA256
912422c0ed1e99d952796f1345a798707ebc7f4ad08b7e7a6feec57a6093b1ac

SHA512
98904a58fe0d0821065094f05cd8d441345449e99df9fd529142d75ca29bde83935878c8eb9909838f86a4f1d1430e1a7e1ac69446d6adece011835cad172255

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
dd13ac0a0bfcd71f718d9f62b738bf7f

SHA1
8eea7edc9cb8001fa201ab67a86c12a91e76d0b3

SHA256
634404565a1d2d033f428a42a65be762cc465e9f3137f201b5e4a9b29765af89

SHA512
61067d9b093afb56ec83ab65a42307a78ae76e2f2669f86893bd2ea65bb6e1308cebd94e3475e21e5a600c0b9e7a5c9eac02e17456aa19ce0a5ceafa729f40c2

Download Submit
/data/data/com.tencent.mm/databases/Dname-wal

Filesize
60KB

MD5
d59362d84c38370eb9b7dbd8288e6dd4

SHA1
a58a96e491d9dc38aa1066fd2ac9f46d0c4ed9f7

SHA256
98fe917b2f0f63aa230735c4abc418cca0dddade9dad7acccdc0a3c4cb3cbef3

SHA512
fc77dd35a1052530f6df293fb608071982d928778ed900afcc88a4edfbc105bd9dd2d071ffd8bc43bcd2383fd1b65d8f6574d72bf5460b655d6b22b0b527b302

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
ec979e53aff02178119291abf2b74d84

SHA1
140f0545a22f678979a6197264266b3bad097c1e

SHA256
81b6bb48a7432de5fbfe41daf5dd4fef8aaf29e644ea6a50d9bcb962e794d1a5

SHA512
2b9dbe7b08e7de18a63ca7c655d9809681d76b1393bfb34eed47abc39c4dc23a49a7b54ad991e71bc0c962708002263d48bf3f291f1168ba166c4067a4b1ef1c

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
52KB

MD5
e5d73f561803e232c96b9b6e19173959

SHA1
ca3b5b11abd77eb48045b19ca902b1a745e0c0f9

SHA256
979b4179b2dd2c2e8a4db34bd7464a1110c08832b59d7e4cf571ef9b43cf11a2

SHA512
968dba65919bef68553be2f7b370408134304f3ca9ddc8e57ca25f4a9ac6d56293ece3ffece61330d18ff242df22135f3abbcd2b4e83f29a5b630a52ae06e2c2

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
f86149387181ecb768c7715ea0d3c3e6

SHA1
1b60f6535341ed233627d3bb93de2a83d119ea91

SHA256
88f1f62086caade160fef0a5a86c16a138609347a8f4eacca4cd928196aff1f7

SHA512
c68a6d0b72d033d357b1463e39263d436940d5766c17551e86071fc86f31eb65867cba1bd2891c3191dfad65ddc828107dfd34ed97832f4a460f805199bb1ff5

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
d57f9c9aac043f3574717b3c0b083d74

SHA1
409bbc05323b1467cbc4a84cff826c0cf4cd3313

SHA256
0ef40b70ceb12ba6c1270a9fe83bacdc96a65cb608cb7fe0616a63f1d23942e0

SHA512
ce7fa994f4111a4af5cb861150257de4a75dc6a4fbdd4010427a04285aec189384a7eb9c40d1d7f05791d9ebd02b49b68c6cf4824659b0da4d9846f055016c69

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
116B

MD5
766c70c571b6fcf6969e1a8ea679cb03

SHA1
5f7fb1724054861988c4af329380e4e1aec729f5

SHA256
1703882ca71b499669658a5bb731b10daa8d8e2c57e22b21d5af63938c66fdad

SHA512
43598f68fcd993beb424188c9a2b7aeef070d238a200c49d1c5b6e6538049271845a3971dffb2f3d5b5942bdd8f6edee65f57d4f7e82c52746e745594bf71091

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
2d3c015a27a93f9184e832b357d794c6

SHA1
8e25716369c3f68a93c6a108475cc16a3eacaa42

SHA256
ed75475feb882ae0e08671e59357233286782b92d2370f548efd2cc9b9e46c57

SHA512
65c9d59d875a38549d7e264324cfee784dd4975cc6dbe5bbe6a1b3aa0b07e11c5eb2e3a52ac2ddd6ca46eb4c0489538e43b2fd467b685bd7bf48b69a4f627f47

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
192B

MD5
91bd52f4107d5d9b8e6d7f0a588f3fe3

SHA1
684b3d3baaff81b943f13e88f34d617dc68a115a

SHA256
cbe172d250080ac727c64125e09e7f18f6325a84eac24803d008d86d76b84781

SHA512
26af7c7a7565a7220ec8fa21961ca6926df83540c9adef710c3dafbe85b2cc4aea8842cb613b7947aecfa696e102cfc7a235b5b50cb4e440eafd15464808e3c9

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
609B

MD5
3bba645de4de20c0f362329de0398745

SHA1
42e31f8001dccac764a66ec2ba22e65d1d6c4660

SHA256
a2b3ed642aeda59e76102a34cf7ce8e5a3688dbb68d7321c2cf7c56d1a37addd

SHA512
68fd4d8d78045a933f4c45dda3a5d1b3d6357ca4fbe3e1622b5d46d39b1634f6e8ae6c2b2f49f26e00d435b6d4052b234f876c188f34e37a6c8c13dd1874bd50

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
5KB

MD5
b347f6188ee025209e17f01cfa375d5a

SHA1
098682537f524c32d6be1e2a99b6a8a3e1b320d8

SHA256
7fece2f8e545a48c3b15c5cafa9a903c9bbe86de0320da217e856566bee13bec

SHA512
88a026ab14001c6ad2c51432870691bcc2c95d2e1497380af1b1ce1c80bbbcc94a4f6bccee31a9edfec3ccc634a89f0b910b0ee0b9a75cba6be555ea37d52ffa

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
f81febe1ce21523f67265f756a5ec62e

SHA1
b288942255fe4c18a775125a553746985a95db27

SHA256
598cdb3ba743f75ef70bf40cf1a6cfa8bea8d6e5b47c208b7c6bcfce9d7a64e2

SHA512
4fc06dc8e731e4bd7f95226f8a71585fd9c5365ef26d1e2bacdb694c9f04a49f210c30fbcb60db2e4c0d352a38645dbad6aa448ecd93bddbc35d69aa44352864

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-16.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-16.txt

Filesize
267B

MD5
91b5aca866bda8e43d1ac1ca383e67a4

SHA1
adb4d6e02127fd7b761e7aa3b84f30718fc46116

SHA256
e16573fe57bc7363545ead4a556baf75ad2a1655bda9dd891bebbb7120924b66

SHA512
564a2f6b94125577f4988c111d37ad119d4abfbb9c1ee21c3205559c5964a57aeedb67dcc7934b8d60c0c48dd5e1ffe3e9a23eedc6f84db08e3a8e8ae76e20f5

Download Submit