anubis | dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818

Analysis

max time kernel
22s
max time network
151s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
03-10-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Size

4.8MB
MD5

d98de9f671d6aa0174ec3ea0e0bddfec
SHA1

303e407a5b037edcfe39c56452c96064a0b48120
SHA256

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818
SHA512

7e322b4acacb0997045842ca9222cbbde8ffda0bd5ac808a0ce975c5fe4c75e13b2deb33cc1f7887e70ed11c2e2697d725a1cccb200d3d0fa1b61adfa25f725b
SSDEEP

98304:i+fYMQWkZNz2GKsglGc+vx0lTeHuCUXW+cs/Re6EDk:iGeFLppgcc+vKlTZGDs/Re6EDk

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 3 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

5199 com.tencent.mm
5199 com.tencent.mm
5199 com.tencent.mm

pid	process
5199	com.tencent.mm
5199	com.tencent.mm
5199	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	5199	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	5199	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts com.tencent.mm
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5199

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
302e71be0e6d47632c3769c72da585b7

SHA1
124f1bb806acff41157abef543a838ff0ce53b07

SHA256
66fbdef34021b43ecf328360a6e50ed2fd2fb6c2d568e15775027234649c1a6e

SHA512
8743061a172d844b0d397930c17c4153df4a895cfe2845d58fea3fcde4ce66aa94d1ba1d5a0ae4859772b57b7fb4c777cfa4c2681c3309ceff450cec234ce7b1

Download Submit
/data/data/com.tencent.mm/databases/Dname

Filesize
32KB

MD5
0ec8d5e24581e56eb01c45155efe2049

SHA1
4de2aebc5e22d0420e54cb553c2739e50481e50a

SHA256
5bb1fd7e82a28019975971aae5f49b0eb2ddef4a943663b654ede402d2f7f616

SHA512
23f87b81f1b49b80a88b1eab7d5e08e7001486b135bedc434601eed4ab74b72804ae4f907ede18213454dfa9da7058692b012861170306adbe6b12650dd51fd4

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
36e7fa8315daadcb46e46b0f4696bb98

SHA1
560305efec6e6cdf22f8e18ea3bf433068814331

SHA256
37120544aef3a2642a44334a5926eaf767beb0a9855e0810824f3e173fbc902e

SHA512
aa4780bc9fd92ecff3cff678e0a54a0f923464c209795e0b897fc7f802159a69b74405324ec878dc01b7fe97efd4259b4d154031c90b674c0ace41af43973808

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
797ed9395b9148a859c4a38828799948

SHA1
6c7cc8127f1ac21b550c5f8f7ccd4bfaf913cbcf

SHA256
a8b3b291cb4c8da80b9e89ae6d51060990681345d1835c7f666c7b32efe3ef86

SHA512
90010e9275ae6b165772368c14624a7e712100adc5278fc285f8852b6d790fe268252e6e47d82192613d1b664453354a79f76683d95a493f70691b9d121a7325

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
f84e31880cd9ea0153ecf9f8ca916bd8

SHA1
bab0dfab9086c67fb2644305cc0382b625e67b47

SHA256
eddb7feda4a94bbc6dce830534f1d8f1e9e460bf93f49c378a4c2d22f57dea05

SHA512
2d9195ce5dc6706979c7bc52637bc32f52577e78fe30d25b76d5ebc9dd71ae47ab772d6e8bfccfa804cf942ecf892afcdd4a8a862a4b880d6b2689fec693329c

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
e4cc686b41ddfce000b9cdfb9e24a0e7

SHA1
5a8b1ccb03321ee2f6e5fe2510c927084c3b985e

SHA256
f46880d33a4f6f0c1d324ad09505ca0b9fd5aff2652fdafc5ff456af46aac2d2

SHA512
f74724cc52dda177993ed58a665f2556f33aafd198f19287f71fcd913524e5ab187966538e451158a9e053c7bf20302f054bfa2494668c81769bdb899fde1e2f

Download Submit
/data/data/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
4f51d2d07080820b88eb2d8b4bd290f5

SHA1
5818ec5caef5189a3225f10bfdf444dda9592325

SHA256
e25bc0507194d722ab9dde115864dbc2d324621c9bf95adbb391449cc58d917e

SHA512
a1734b99ff5ce90ef288950a69ed4df2cd37c19b2bcb5d15b913c0c1a45bb625a1ec62fa5dd3b8984384e12d8cf4deec6367603043f5c233118d57f7b5d8fe67

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
16KB

MD5
ed3083aed8a03f3def5aff2e2f50db5e

SHA1
c73275a67c5fca3e0fff4083e7b9ac7943c003c1

SHA256
3882cb53950db34603f49995d7fbb6e9de533460791f784f3e4544e3f8d9fa9d

SHA512
9e147f64706c8be409b6314d8a60fbda03d6dd13435feb0ed9962827765f35ea68b1f4d84cdb7f01eea3be0ed8bf2250ab30c97a025c5459e260a5ae0ff5c105

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
1f8a14f0c5d567a671ea8bc28c50737b

SHA1
bca391dfeb79258df127f505bfb67aa42de0056c

SHA256
f8ef404236d75922ef2110c9a7b983d43018b15036f6e1e9c7411d23fe066c09

SHA512
64ef66674d246dd5eb6c91e8ca7d652da5de6df18ed1cddfede2e5950a4a03b2c5425e157fd75f2ae3dffaf7715eaa26b5359be385af4a58f39599453ff2c16d

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
dd2772291c329af61f05cf80cbd96f60

SHA1
6e801852f6561255dc03479599486d841ca8e0d2

SHA256
a77f1a16f2f1f8ce9d2fd6846b61a5ef242aef6183b50c865def11a5e57b2e59

SHA512
81654e14d7d65b0291e17b438acb3dc58c7fe9937491623bdeaf33fd16e2b0e2aac088f571b7e6678bffe0d2f1aed1aa61355b6b9225156309b712f7ea52e6ca

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
f359f893dea9fa13c20561ec8ea1e9d6

SHA1
5b0d6383f860a57b7170915d2ebb0d46298892a7

SHA256
84bedb13280b52b718c0a33afc0119ab9e057f2d8318e0b3ed254c826fbe626f

SHA512
ebbdd4e03518cb32b949b66595fda27ecbe8715bb20cf0d4c3818a52e67797631dc1697424c0775879245be38b6feea7882eca06ab5bf7b053680a37fdeedca5

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
ea25515f64db0e6426cdecc38fa96a54

SHA1
3bf72a86215cedac590d86d3a53a241a92105cf8

SHA256
51de080282f0bef07687eb70cf74bfd1775281cd08699e19d93a8785eb818f29

SHA512
ff8c7b3dfebe0952793e5d889e8c36a1de7c53a34a8c3538327ecc0ee1362edf2db0e23591f87c3c24bacbf6f83b4a59933064fa05c842f83ecec6ee8145ae38

Download Submit
/data/data/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
108B

MD5
c22208697801fd96fb8726bd26473463

SHA1
b08059931e02e1c914ddd44722db1fa883016667

SHA256
5bffe0ad11ff107daddf97fad09efc0ebc0b31094787f1ed050a23ac0f53a6e7

SHA512
c438ad523d92b6918a265384b4fbefd9657126f4b6b867e9b1a122598cd8e55287ac587fea7d6aa89338ac8d244628a3a7ac24d8ef20fd866e2c0f9f8621106b

Download Submit
/data/data/com.tencent.mm/files/GP.txt

Filesize
126B

MD5
bfab139f4bf327971400a0846fafc1cf

SHA1
9b5097d344e77c8caaa476a6662e31d6ace65b2a

SHA256
094eb13a3461fb7c7e825f5146a7f1305f38f249e9ae628de0858aa8ea174d82

SHA512
d6eb1f9662c4cbe3355e215ab05e667d7e527f0d879d7f3a704ebd520c3bb10fa0a05ceaa77875b375077088b7b2f0447e1049c7f3edb48fa9b61b8202f18337

Download Submit
/data/data/com.tencent.mm/files/Tree.txt

Filesize
687B

MD5
67cda3923f9c6d68071357396e1b187e

SHA1
23d7bb663bded6422a3c8812d8277d21c967f237

SHA256
40db3b21c25db11bf7c1309ff1544e4887cdefcc0d53894a2f2ebbfe750173f5

SHA512
b56c8776d7eb91c93fc0a736fa783875d3b8cba7c59ee9f85d944519150b91c6b49790c4324b8c966802d0e877091fa7ecdc25c55380d61b0e9e76f517a18977

Download Submit
/data/data/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/data/com.tencent.mm/files/netinfo.txt

Filesize
827B

MD5
73b3bc199b17872f88159a39b2414424

SHA1
8d85a3dc30eb26a6ec15ed18b551fb166951a095

SHA256
45fd28e388ec8c646a64e61b29111aaabfcc39bccfcb686c37f9d4c5cce7c04e

SHA512
7c926d9ed1884cef99e224711b1e518a3e18ef817ac22a79977124fd6eff910745bd3f42574f5f55bebaa8ce701cbdf9de710a5ed42d7874edde0c581df051e2

Download Submit
/data/data/com.tencent.mm/files/pkinfo.txt

Filesize
9KB

MD5
9c3e91de920da0d890b038f9f705d9ff

SHA1
d3d09aa45859562dc71b111ede373cc8049d7f94

SHA256
40c176d367007874c0e117f01572bed8235d5a18b36f8b2fda19b4f93973b9df

SHA512
b93169224ad7477d72d0599804afaaf9e87e1d9b6451b7d4712b05e093a87d25d493772756c4f7d63d3d529207df8c86a3b9d6b690ee377a77a752c90f67f1a6

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
267B

MD5
ca83936d0c0ffdb4a991046e32ccc956

SHA1
6d34827e6fd5b8f716cc5f7d7843b581713aeab3

SHA256
b50da55ec1fcb8d0589b49d5b3dfef915d77f3dbb24416bb1305441f81c507d2

SHA512
61bb1d4d033b0ddfa7ae802d5732c00af6db3aa5bcfbda0c60a0f12bd9fbbbd03123990c55d5abbd3d6e967471101b82e409f1620a73a3cf8c627452f61440d4

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit