anubis | dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818

Analysis

max time kernel
24s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
03-10-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818.apk
Size

4.8MB
MD5

d98de9f671d6aa0174ec3ea0e0bddfec
SHA1

303e407a5b037edcfe39c56452c96064a0b48120
SHA256

dbccdff96a947a5a461a9c794db7bf1e704dc5371fd6a3cb0bbdb412d0854818
SHA512

7e322b4acacb0997045842ca9222cbbde8ffda0bd5ac808a0ce975c5fe4c75e13b2deb33cc1f7887e70ed11c2e2697d725a1cccb200d3d0fa1b61adfa25f725b
SSDEEP

98304:i+fYMQWkZNz2GKsglGc+vx0lTeHuCUXW+cs/Re6EDk:iGeFLppgcc+vKlTZGDs/Re6EDk

Score

10^/10

anubis banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://google.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis
Removes its main activity from the application launcher 1 TTPs 2 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.tencent.mm

pid process

4602 com.tencent.mm
4602 com.tencent.mm

pid	process
4602	com.tencent.mm
4602	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tencent.mm

ioc	pid	process
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4602	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex	4602	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/classes.dex (deleted)	4602	com.tencent.mm

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.tencent.mm

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.tencent.mm
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.contacts/data/phones com.tencent.mm
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
collection

Calendar Entries
T1636.001

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://com.android.calendar/events com.tencent.mm
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.tencent.mm

description ioc process

URI accessed for read content://call_log/calls com.tencent.mm
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.tencent.mm

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.contacts/data/phones	com.tencent.mm

description	ioc	process
URI accessed for read	content://com.android.calendar/events	com.tencent.mm

description	ioc	process
URI accessed for read	content://call_log/calls	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
PID:4602

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Location Tracking

T1430

Protected User Data

T1636

Calendar Entries

T1636.001

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/app_mph_dex/classes.dex

Filesize
10.6MB

MD5
302e71be0e6d47632c3769c72da585b7

SHA1
124f1bb806acff41157abef543a838ff0ce53b07

SHA256
66fbdef34021b43ecf328360a6e50ed2fd2fb6c2d568e15775027234649c1a6e

SHA512
8743061a172d844b0d397930c17c4153df4a895cfe2845d58fea3fcde4ce66aa94d1ba1d5a0ae4859772b57b7fb4c777cfa4c2681c3309ceff450cec234ce7b1

Download Submit
/data/user/0/com.tencent.mm/databases/Dname

Filesize
32KB

MD5
1854505a3f6d683ed7eb81612934370c

SHA1
4f710add9a652d2fb92b7ce45589e27bf03f0b2a

SHA256
8100330a266f3027b929ea1bde99440ce4a544c9d9a0abb2ef0d1a73aa4cd9a4

SHA512
104a6e9c840b1fddd22ae579624a549c911abfbb48dc4454d3d231619c41a9abbf22f0dc5362a80c8c8245cc18566661f3645ac48c61259132886d4bf4678962

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
512B

MD5
cf4dc9f57bbb7228410ff04518a3dc06

SHA1
c96173306f548d0cc4afeb03087865b56ca8ba34

SHA256
a42de68b7763e9bb85c074041f93273c2fecfdf1cc44aa06b2634e7cd9c004aa

SHA512
e57a72f319483643cfa0bd43dab46e4297f3e9f18f4cc92a04b094422f6fba7fdac575c42efeb5c314ed26970ea43839a88e0a7bdd4a2028fe0c298485bb8a8e

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
31becffe45ea24456c6cc4fcfc3aa146

SHA1
4e6ad1b5c95d9573cacfbe971ea3856fe6b29d9a

SHA256
0ffafa91d2220241ca961b8db72a15a5e5b184037e6adda2090aec5bbba9a0a3

SHA512
fabbe34966efb167dabc0509a0c0a07e5fa7fd9214353dc67df84464601b432ea569823c3eeb4f2fcb134171b2bdef0980a1856f2c54b0f0e7b82203d64978eb

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
76b656361b3e3858c554b4bd880e668e

SHA1
931a5c17c5c8d38293a2cbc03cde2db2cef120df

SHA256
4405235291b37e02a05e3807074b3876dfa64f22412012f5e28280071a1c3a4c

SHA512
cefbba24f2354bc673256f5e1830a5860659be5afc43eb07813d7d2945de7b418c43a7491feb7df8a9ed63839b7d7004ff3b0104e0b8f3fbe525d6aa75e6e15e

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
e915040b9393220900cb88cc9ccf9738

SHA1
cbbdd1865ad1cffb00f57b5518619d644bc4c587

SHA256
20a2f7e94a42fff6a76add682b6c6b25a9d295811fc0ea4f1fb01ffa81bea700

SHA512
9dd08969d3ddf2fa4a5b2ca1b699c4fcd69b0c7630fae95bf045f5b759969607646f209b6981eef21c41436005cecdae223dab4688d1aea847fc4662dda85685

Download Submit
/data/user/0/com.tencent.mm/databases/Dname-journal

Filesize
8KB

MD5
611875af5a6fa10b2a68088d29d0e242

SHA1
8abc26c3207a477c86f98b7bfbef1287d74992df

SHA256
1524d75d96ad3cc854a6186568782468571cb52fb7c4b29520bbf8a58cf82ef7

SHA512
38e4ee2bca9b125460096951cc8d2c1e01b7e10231164396a8811931fae41bec9d7b15a1684143a1ac44d7c179138f9da137dbf9f7a4f5d179d050623086e933

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db

Filesize
16KB

MD5
4d9a215ca9aa1ba93bd088266aa20c14

SHA1
8bcdaa7b91888a20465c767628885780b86c2585

SHA256
91259f42077fb2bd67aae1e2b26c2038cf5c6fbc018c707ba13e329e16af5030

SHA512
ccb3e8e554c980d90ec741aef497273963a6e8658943d957c454bf170a7fcc38bfa048815187747dc087cfa194460a19457203967742842bd01d8b94bc25441b

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
512B

MD5
c8511192951be6d7c78ae5bbe57ac116

SHA1
b03960406c1d9ac1ae35ac4c4c776d07704d06ae

SHA256
6035e8ce59b36a4f495eff62d3ad5905de4bc9ef1b770bf83d28c52e9dffcdbc

SHA512
9a3b5af83784f313a64ec8bafa84a8d35a9be7a469348daf55e78a8a90a0b3ec793a26f9c6aea6477f578f14bec737be64dff0c3eb293c2f7e18d461b4d8df5c

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
b6bde6e6669dcad2d19ccbd933736e7a

SHA1
bf9c89f6da2e4356759663827bbf7364f0c87c0a

SHA256
4669b7ef40b6f7a931f5ce59c033da995a2c106cfab9ab221396e2e3279d595b

SHA512
b7ed0a8ea30fa5b74ce38b2e8e5f1b8ab118ff17c6fcb9b22293991a95a42f9efc3dc2f9268ee06d0dcba734067a830d25edd5d0d9aedbca2a823bdb886b02b7

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
516b0a372553d6be65d56ea850974417

SHA1
d61b73186b4aa6be8597ba73f2bce75033504d1c

SHA256
2fd0ba4105a53fe463ac2af2e2eb2535176733264b582a2b65d0beb51bdbf35f

SHA512
858e68652cf7fa11e2319b2df2d4517db301bb743992cc2a5b6c056ff85862b2735557a1a5e932f4b536e8d5f6ca8a602e9bce5c606ca52312bcf9ae4452959f

Download Submit
/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
3341838131348481dd970acd77f0620d

SHA1
41b1a8067f3f7f7b505181ecfb5eb9d84c7acd88

SHA256
4435274f79342d26b351ae72fe126429f041ecf1563fc52ba1c1e3d068182f0e

SHA512
0e2b0b543b2ec5b3ba00b2c852c92feb4ad63125d09280a5bc74cc55572ffbc05ddd9ea6e6a696ef0825edaa98c24b3fe5ea16ebbad98ab2f0e4b765f568c5fd

Download Submit
/data/user/0/com.tencent.mm/files/CallLogs.txt

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
/data/user/0/com.tencent.mm/files/GP.txt

Filesize
108B

MD5
52199360b11ad01830ae692c1a46851e

SHA1
0b6fac9f66494e5b9a88811e06e0a38af988d3c0

SHA256
aa79df49f1226bd26f99773ff08c8646a167be5e83387fed2e01d3b4ca4da127

SHA512
8748fcf30ba708cae43daad3fa487053d4871014dd2a78a44f51e8378b713448de9af14c8720c2a13b6292164577cf53018aa8031011c7eb037bf149018bd803

Download Submit
/data/user/0/com.tencent.mm/files/Tree.txt

Filesize
566B

MD5
aa90fcb432b2e3aa64acee9e5a723e77

SHA1
ff7f5385a4ff8413b04c7164f963737a4ff73284

SHA256
34f6a353f875915d8f484b07bcbaee5993dd97db17b6e0e256e772510a595754

SHA512
a3ee3849dd51fc57bb8ad072a1bf29b00d5527969cf43f4f62f19fbd3fb4ab9fce7821d26aaeffefb3eac0a0267200c89d7a4f278eb23bab1ecd4e38601463a6

Download Submit
/data/user/0/com.tencent.mm/files/accounts.txt

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
/data/user/0/com.tencent.mm/files/netinfo.txt

Filesize
854B

MD5
bf5d1d96fddb62082dd3a0716f95e15a

SHA1
5684ea97e9539f8c839bcaa408090290c855e16a

SHA256
fded06f0f28d8d55a0c991fda19e68e089957e830bda0b38db4998ec402e5ba0

SHA512
28eca4a73a44a90a2a4d42a1e83b903338f4eddace11de1a9f927d35629ed3c833a98066139bc9c17d799dc62c02f9b4653d6c0c7c85eb871ce66298b967b901

Download Submit
/data/user/0/com.tencent.mm/files/pkinfo.txt

Filesize
10KB

MD5
df036b93426f886d1696210079b94938

SHA1
b593b3806d3d85257511959992013f6a4f543011

SHA256
6d9bb455edd9154e310a777aad0dde552ff995134e2321933a0365f9112c3912

SHA512
0d7eb6c0e5378a362a4bbebbc09f291080975c8ece8473d28c9cc9ec5b4a138f2fe19b09bc5d44cf17ec66a4f59dadb1de59ac8286cdc10a461e46491da01e29

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
e48057c3603c907cacbe1568a7dbfc41

SHA1
6e100086b53e20e499a9be069aa1b452faf82ba3

SHA256
4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e

SHA512
787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
267B

MD5
d2126d9fc9e1ee250e0272ee7d6775b4

SHA1
be81c76cb8c8cb20879582a38be90827feedcbee

SHA256
dc91ac84aa21024b24a9133c035f36c9d39497738cfdf067155c45b293dc8942

SHA512
3afa1210834d864df0fe48de8734f806c13b61c31824318377313c9bd69c84321fc0671c1ca29cf3b5971423c6457a50f9e80f4e008bcdd76c4ff73535aa5e70

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-03.txt

Filesize
12B

MD5
a9256f55737b655c8cff95418411997c

SHA1
d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

SHA256
bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

SHA512
10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

Download Submit