anubis | b4bd65520d764bea63e2956f63cfe1e79109aa63efc39f3fd938e29df77cf0fd

Analysis

max time kernel
32s
max time network
146s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
18/10/2024, 17:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bd65520d764bea63e2956f63cfe1e79109aa63efc39f3fd938e29df77cf0fd.apk
Size

361KB
MD5

18a3c09ce58b3db05cf248730adb6bd0
SHA1

b8df9c4fbc07539f5b25929b132d97c1416b6710
SHA256

b4bd65520d764bea63e2956f63cfe1e79109aa63efc39f3fd938e29df77cf0fd
SHA512

e883b9da7887e01f13a25eb7a3f8ca619cf1040f2b50f7790632cc58e09f833a4b76f77aa687bb1fded4ebbe8703f5106138c9acd2b21f57e76f44e84bd81ff6
SSDEEP

6144:DTomipFaxl2ZkyY47C+uGFKkOsOQwT7gTnEJD0VilSIKexXSFuauAvGh:DUmipFayvu+uqKkKQ+DliFuauAvGh

Score

10^/10

anubis banker collection credential_access discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

anubis

https://qzwrxetcryvtubynumnuybtvrcewsdcfv.com

Signatures

Anubis banker
Android banker that uses overlays.
banker trojan infostealer anubis

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4642	com.kcyhit.tjdedz

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar	4642	com.kcyhit.tjdedz
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar]	4642	com.kcyhit.tjdedz
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar]	4642	com.kcyhit.tjdedz

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.kcyhit.tjdedz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.kcyhit.tjdedz

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.kcyhit.tjdedz

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.kcyhit.tjdedz

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.kcyhit.tjdedz

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.kcyhit.tjdedz

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.kcyhit.tjdedz

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.kcyhit.tjdedz

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.kcyhit.tjdedz

com.kcyhit.tjdedz
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4642

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.180.14
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

172.217.16.232
DNS

qzwrxetcryvtubynumnuybtvrcewsdcfv.com

Remote address:

1.1.1.1:53

Request

qzwrxetcryvtubynumnuybtvrcewsdcfv.com

IN A

Response
DNS

t.me

Remote address:

1.1.1.1:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/fanili11

Remote address:

149.154.167.99:443

Request

GET /fanili11 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 18 Oct 2024 17:27:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3642
Connection: keep-alive
Set-Cookie: stel_ssid=9542c2804498988c3f_17096429396607444550; expires=Sat, 19 Oct 2024 17:27:53 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/fanili11

Remote address:

149.154.167.99:443

Request

GET /fanili11 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 18 Oct 2024 17:27:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3641
Connection: keep-alive
Set-Cookie: stel_ssid=a33463ff027294a24a_5013749767339804978; expires=Sat, 19 Oct 2024 17:27:53 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000

142.250.187.206:443

tls, https

1.5kB
40 B
1
1
142.250.187.206:443

tls, https

1.5kB
40 B
1
1
142.250.180.14:443

android.apis.google.com

tls

5.5kB
8.8kB
21
21
172.217.16.232:443

ssl.google-analytics.com

tls

1.3kB
6.3kB
8
9
149.154.167.99:443

https://t.me/fanili11

tls, http

1.9kB
15.6kB
17
18

HTTP Request

GET https://t.me/fanili11

HTTP Response

200

HTTP Request

GET https://t.me/fanili11

HTTP Response

200
142.250.179.228:443

tls, https

845 B
40 B
2
1
142.250.179.228:443

www.google.com

tls

11.2kB
12.8kB
33
41
149.154.167.99:443

t.me

tls

5.3kB
59.1kB
44
46

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.180.14
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

172.217.16.232
1.1.1.1:53

qzwrxetcryvtubynumnuybtvrcewsdcfv.com

dns

83 B
156 B
1
1

DNS Request

qzwrxetcryvtubynumnuybtvrcewsdcfv.com
1.1.1.1:53

t.me

dns

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

Filesize
184KB

MD5
ad0b831361de0aa3ef9f15004bf8f574

SHA1
869f3107c20842e3e7897baa068731247768e6c0

SHA256
10af72e1709bece34705e9b8903d83217a645da841f5868ef1151d742c72575c

SHA512
09640c3dc9c207d977d3492540a6532de97dd00a2ecd359042922021022611fad7e96c79b5c4da5b3f55d6789a384e5ed462b37f56aec728ca86ade940b9d9bb

Download Submit
/data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

Filesize
370KB

MD5
8948db9613f2e38613b46632a19b9d3f

SHA1
93267c031f65423e4f590667ae2a87535938120f

SHA256
5cdc2336d5c98e5f26f16ec19d7f875e0e8fd9b05c0f91c1eaefa040790be405

SHA512
2e5c742047649a199d96055ab9e036d5de1bc062f61082536ec31562fa8b924c80725ffe3069c034417a8d3e5fff651d25b6de67581f23f4463ca5ea2c140a4c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.