Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    32s
  • max time network
    146s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    18/10/2024, 17:27 UTC

General

  • Target

    b4bd65520d764bea63e2956f63cfe1e79109aa63efc39f3fd938e29df77cf0fd.apk

  • Size

    361KB

  • MD5

    18a3c09ce58b3db05cf248730adb6bd0

  • SHA1

    b8df9c4fbc07539f5b25929b132d97c1416b6710

  • SHA256

    b4bd65520d764bea63e2956f63cfe1e79109aa63efc39f3fd938e29df77cf0fd

  • SHA512

    e883b9da7887e01f13a25eb7a3f8ca619cf1040f2b50f7790632cc58e09f833a4b76f77aa687bb1fded4ebbe8703f5106138c9acd2b21f57e76f44e84bd81ff6

  • SSDEEP

    6144:DTomipFaxl2ZkyY47C+uGFKkOsOQwT7gTnEJD0VilSIKexXSFuauAvGh:DUmipFayvu+uqKkKQ+DliFuauAvGh

Malware Config

Extracted

Family

anubis

C2

https://qzwrxetcryvtubynumnuybtvrcewsdcfv.com

Signatures

  • Anubis banker

    Android banker that uses overlays.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

Processes

  • com.kcyhit.tjdedz
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4642

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.16.232
  • flag-us
    DNS
    qzwrxetcryvtubynumnuybtvrcewsdcfv.com
    Remote address:
    1.1.1.1:53
    Request
    qzwrxetcryvtubynumnuybtvrcewsdcfv.com
    IN A
    Response
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/fanili11
    Remote address:
    149.154.167.99:443
    Request
    GET /fanili11 HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Fri, 18 Oct 2024 17:27:53 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 3642
    Connection: keep-alive
    Set-Cookie: stel_ssid=9542c2804498988c3f_17096429396607444550; expires=Sat, 19 Oct 2024 17:27:53 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=35768000
  • flag-nl
    GET
    https://t.me/fanili11
    Remote address:
    149.154.167.99:443
    Request
    GET /fanili11 HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Fri, 18 Oct 2024 17:27:53 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 3641
    Connection: keep-alive
    Set-Cookie: stel_ssid=a33463ff027294a24a_5013749767339804978; expires=Sat, 19 Oct 2024 17:27:53 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=35768000
  • 142.250.187.206:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.187.206:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    5.5kB
    8.8kB
    21
    21
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    8
    9
  • 149.154.167.99:443
    https://t.me/fanili11
    tls, http
    1.9kB
    15.6kB
    17
    18

    HTTP Request

    GET https://t.me/fanili11

    HTTP Response

    200

    HTTP Request

    GET https://t.me/fanili11

    HTTP Response

    200
  • 142.250.179.228:443
    tls, https
    845 B
    40 B
    2
    1
  • 142.250.179.228:443
    www.google.com
    tls
    11.2kB
    12.8kB
    33
    41
  • 149.154.167.99:443
    t.me
    tls
    5.3kB
    59.1kB
    44
    46
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.16.232

  • 1.1.1.1:53
    qzwrxetcryvtubynumnuybtvrcewsdcfv.com
    dns
    83 B
    156 B
    1
    1

    DNS Request

    qzwrxetcryvtubynumnuybtvrcewsdcfv.com

  • 1.1.1.1:53
    t.me
    dns
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

    Filesize

    184KB

    MD5

    ad0b831361de0aa3ef9f15004bf8f574

    SHA1

    869f3107c20842e3e7897baa068731247768e6c0

    SHA256

    10af72e1709bece34705e9b8903d83217a645da841f5868ef1151d742c72575c

    SHA512

    09640c3dc9c207d977d3492540a6532de97dd00a2ecd359042922021022611fad7e96c79b5c4da5b3f55d6789a384e5ed462b37f56aec728ca86ade940b9d9bb

  • /data/user/0/com.kcyhit.tjdedz/app_files/lyqpustqpfi.jar

    Filesize

    370KB

    MD5

    8948db9613f2e38613b46632a19b9d3f

    SHA1

    93267c031f65423e4f590667ae2a87535938120f

    SHA256

    5cdc2336d5c98e5f26f16ec19d7f875e0e8fd9b05c0f91c1eaefa040790be405

    SHA512

    2e5c742047649a199d96055ab9e036d5de1bc062f61082536ec31562fa8b924c80725ffe3069c034417a8d3e5fff651d25b6de67581f23f4463ca5ea2c140a4c

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.