Analysis
-
max time kernel
49s -
max time network
69s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
05-12-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
_9.3(2).apk
Resource
android-x64-arm64-20240624-en
General
-
Target
_9.3(2).apk
-
Size
6.0MB
-
MD5
bb37b95ade556aa58b7532bffc6d38d7
-
SHA1
d2e056ee8bbeed237ca0c27ecae5f9406af07227
-
SHA256
1541706ec9534d9c636d65f84bf0cb7394b1123ee789e12353ad13194c1cd204
-
SHA512
3bc2112f876770a603a9986665b1caf5e27b029539643379389115f262980539ff22c7fde4199344a5578fc57cf5cbf9e44a2caa367d469d4b4f19a738fb7b47
-
SSDEEP
98304:7kJ9TebkrRwjolZ0M0b9FjYy5OVSeZ+/1KryBdgy+iOFCLqjD+f:GRx0M29VYysVSeE/UUqziBwqf
Malware Config
Extracted
anubis
https://google.com
Signatures
-
Anubis banker
Android banker that uses overlays.
-
Anubis family
-
Otpstealer
Otpstealer is an Android SMS Stealer that targets OTP first seen in February 2022.
-
Otpstealer family
-
Otpstealer payload 1 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_otpstealer -
pid Process 4595 com.tencent.mm 4595 com.tencent.mm 4595 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4595 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4595 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4595 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex 4595 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex (deleted) 4595 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/classes.dex (deleted) 4595 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.tencent.mm -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.calendar/events com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4595
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Input Injection
1Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD5d0a319539616d1277559a6d2f498dd60
SHA192e789637fa711d6fe45f92556fd3838b28f3b1f
SHA256a18cf0847342ef6a8804659bf6ddf1fc9fa2f99947038e6970118744f36a2ac9
SHA51245d1a77d0a6138315ef3313be2405102880d46cc2c5600c57059eb38d176544ee79aebdfbb0a42701c11d11c14e28d498429226e375f493a3d3e4803e3e743d6
-
Filesize
32KB
MD51854505a3f6d683ed7eb81612934370c
SHA14f710add9a652d2fb92b7ce45589e27bf03f0b2a
SHA2568100330a266f3027b929ea1bde99440ce4a544c9d9a0abb2ef0d1a73aa4cd9a4
SHA512104a6e9c840b1fddd22ae579624a549c911abfbb48dc4454d3d231619c41a9abbf22f0dc5362a80c8c8245cc18566661f3645ac48c61259132886d4bf4678962
-
Filesize
512B
MD587bb5a9e103ebdba537c13347ff03617
SHA16fe6f3b7aeb7215417f93e0eb64674089d5ff635
SHA2565facf14a38d7b7b99cdf90be54ef78ba9b4e88acbf7c0ca1df56cdcbb6d12f42
SHA51291e632e65454e8fff9e85ca656fd0a9c5c9ee581c8c306c53715f80bb8745937618aa6e424e28fca2f2027e6b67cf3ea199e8255abeea8d62eb1f65003c9b979
-
Filesize
8KB
MD55a764740b54641f4f85b700e12fc0a05
SHA1d82001b8e74fffb71afb4fe97bc5a895a7ecb669
SHA256a199dfcd1cb9cd976ec4f22bbcfad4643286d5670a6a68599c812660a667f823
SHA5124a4bc917ea78fb274b937199aa948d0f28a15b7edc3516debe9a2136992c5738a551070f64b89b627c1a51fc0644bc758155ce8b0bf0f462cad5e65e94780dbd
-
Filesize
8KB
MD5c0fd7de94b3c47bd181edcc17837c82d
SHA1fddf8f708478b8e17cd71edb2c843aa974b0e507
SHA2560d2c05351979500f1af9cdc11b9f24b45ffe8ed1a21dc4da2e6f8d11c2134f1b
SHA5120786f1623eb742430a8c3202d062f652145b1cc995af8efd76599e80c3a209de7dbf19ab4fe19d937ac7c4775a7b2a14236810497011cf6a218b25eebebe0212
-
Filesize
8KB
MD54c0a1c51b11e1ba444c059be0a1d62d1
SHA18883fe2670fbcfdd0d549d9455f0109cf6347fa9
SHA256a16ebb60d9b9a48c15ff9308d835c3146ff6c8d3d6f8f4eadc20defeacd74ce1
SHA512c126637a2573c8a81e957e16688c2423c41ba4cab6f1ac7a66d8b48a8586dc2a20ee7e66ea411a0f9b14f2466ddbd177c84801275208cc01a97d51a1585c5f6e
-
Filesize
8KB
MD5ff3e20cfd22fc08a98e9b87e59a996dd
SHA15a461d8b2c47e20a53611876ae25d7cb964da1e8
SHA25685e49d5674f31a822adb9146bde7ccb98b12e83c0e3a433fb97e1fd2662131cc
SHA51288974e89a38c52dacd3554fc0514e877a9a37f9181012c9aa156a13ae55c660c82dac7577465b93b9eb739a4dfdd8f1774c72b360943a5bbba62d96ecdc86bbf
-
Filesize
16KB
MD525206bb54d7dde15910a9a72fc4699f6
SHA1e0f53e2bd17b315087b731f23affb86f2e47f652
SHA2563507ae57b4828934dfee7a7534e5fe4d6e8f998ab49e1baa3a87c75f03eb14ea
SHA51294a26b8daa3dcaf49691f8de7571a10a6c0056913e15f08d7c1e1bd5dd90c6f201a4420ce22ab14d4ba4553e5d56cc4a06bdf4fb3b6de61a6c9d775c56183f04
-
Filesize
8KB
MD5fd8cee12c4b12d1b9f0c74915aa3c2a8
SHA133c7bac20d03d1dab16f6769e0b72cb7047d1f6b
SHA256d0299ce816bfef2be980eb7f1611106068c17722536ccd57d1ecc5856d068f83
SHA5126b411f8123235185c82a5409e8936c6e6102bda5dea2bc630a78ce6ae616d1dea0144768c84dbe550816f3fea928202ed318200ea6d4ac7a979674cb99a215cb
-
Filesize
8KB
MD540e8ea4bcefacbaeca19b0fb5d07cd51
SHA18099ac2213db551322bf9ac5bb2bb1e30cc268c8
SHA25638c19721f25ecbc7c7ad8f08e1e7f1c9bc9f611e96970562a78f1b54e6675d35
SHA5122840e4c7271b4904462effc696251675062cb8de09e7ee0beea77922eb042919b0c7e7eaf2e263782e75ee9de2be3c592efe27c3bf9d2dd114fc3242aa368170
-
Filesize
512B
MD513e377e9a71befed4536b7d60fd94d1b
SHA1479a990deacee1bd873c344900e5c0a179e7fc66
SHA256f66a7ad11140b710d85ec3a4f75058741d7161187cfcbfb93f4102c26a0364c8
SHA5128aea5e19398f0a4fd4d14e3ca0cba2ec58b20db86ac1fd264671eb6ea3ee0bb4f06a7e6576badd4b4c256e322aa5d46d40389e5ce606878deecd56fbd66049ea
-
Filesize
8KB
MD52955f9b229e38f86f4060fc30b9037e6
SHA178a85088e8b39262b4882e4498789308cfb33031
SHA256d193dd169a50e5e81b587a10ab90decac05bebd921955394297d9e57ceefd5db
SHA51256edc9b8c3d63c9c03e922d5cecf5c085c83bcb9b1ce8ca4a32fefecf667f06c0bc6479932d7ba58010291562f961436cc471adef3011122787156b88aa671c7
-
Filesize
8KB
MD5d45df91b73ed53fa1db5527c87d47d30
SHA1a5f44642ba1affb3429d26c873d7a4d00d1629eb
SHA256513439bfffcf758a5b5bb3a5f47b3ef28de1b922b735e34d527a096744ded28d
SHA5121e3f9034d3ecb400710579cc7e374b7006492e9cc42feb77e6642587217c21759c42712ecafee1728cf5dfabe32060c5dc98b00f6bc5e59cefc422a92c95b840
-
Filesize
8KB
MD572a73de3cfb3a89df636d430226753b5
SHA187a06f29fe49ddc6d875c0a160cdbfcf65de1f43
SHA2569bc2e3be3553edb2e1ad46117ff3cd4af676222507d2440fa1ed0e13f2e41674
SHA5121e35cec0f16e625ef5ff515541452bc0e79ca17ca80485debaea0a3969fbd3e9e139ad0edeb4aa026afbb39f54f9e07540a2b6722682315d0558d60d3f9b3cd0
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
108B
MD517ce8389499f2b4d291f4ecb12d87c3a
SHA14ca86f115a866d767d513ebb5e6ca491dde4dc52
SHA25682d95a98d7d613491eb5f9c86b273f3e7e8c25dc256a5c02b569c729e6909c6f
SHA512ff488bac9633eab7a16c26f16a9a2dead7f66dc075e02889a0fdc0b35e143cb519c2f3b8ad4441b043c7c5dad79a83388bcbf2d523037e770ddea53dfc6788fc
-
Filesize
108B
MD509f8a0e7ca7eb2cbcfac03bee4a74d9a
SHA1836d8578129991ddd44d82fb97fcb6b5f6b2112f
SHA256c21b40a42d06899fbffb4b6e02f49c0eadc6e80c1751104c0550e63c1d5549fc
SHA512db6b9b8f27a2ae3fc49dcd6f4c034d7a30621334ffc7571e856c2a9bf21741f7eab86382b67e9216f7d044d56ae27c6ed9f25add5608ecfd32035b94740a1b29
-
Filesize
114B
MD584f8e25a4d45d774df80dac9e0cc488e
SHA16a6fda831631c8ee841220ef5f16e06d57601d26
SHA256e4a60aa3055dff349e3ee6ddedfd8c3057cae37eb3321f2e26535b6b3982d63b
SHA51245a8eaffdcb46c4e58242c6b60aef8fccf65a6c9da4c82161de77c47c26600986cc05493f82aa0cd0681c5df76341c9be5ec35def82fcf2a5f9de5839fbe912c
-
Filesize
477B
MD52ddbe0f93a8cb5cb226c1f57fc3647bf
SHA19e27664f7dd9d2ec51a2af8bc670a1699b9b9719
SHA256f358a1707aea904bb1ff48c44ad0e1e6ea6c96e9de825e9f761c567a57f67548
SHA5126855fccac1554cf938c019162d7996369ac1ce0e6ec5bfc92a6efa89dc8dc9495f2099cfeb152723256190bd5e6812e793222b4ffd915fad80b70e71a8524ee2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
854B
MD5d7199471b329ca1ec84293962d4d3578
SHA17b806cbe0e331741dc45887ea8e4f1c26a3e61c1
SHA256f6bc89c0cdf1c12e0832e1dcc2a467d3283e76c6ae951c07d6d81bd57b71b297
SHA512b5288a0f4a3498925ecd7b9cf8cb2e2c11f740db13921a2f1a656174be0585748026243b08d8338a811a6d3ce02e9763b97bcea412c6979ca71cfcf03738f1f8
-
Filesize
854B
MD5438e3a6576cd63c97194828f3cd5cf4b
SHA1599f74f7a0556ac866e52408930864b0e0278de5
SHA256f19a1f81d9cc25eb259c11adcfaca0899a5cf7b2987bfcf9cd387566b8a5ff03
SHA512733a03fb7dd4e7f351dc0fc634565d3eaf54a909884ca48e996fa7017f075014d01a3e4b390f09c8699a82ccb12a4cd2a8fe51f4f62de0a8d3ba612fc2a604c7
-
Filesize
10KB
MD5344c40353d45d009b47272dfdac931a2
SHA144898c7bb8c5a7d12762562662dbbcb6c9180a00
SHA25607bccca648467fff1bd92361bc2fdf21290d3f43f5d9c36fb0f9ee2d64569f7f
SHA512809f0c501f809bdcda6635f242478aba23accef84e1c6ed085420616ec9cd6a8bdb85e0316e48f3d76ad3c8223db168b8d26d3c56bd29fc1ab7c3314963a9f75
-
Filesize
4.5MB
MD5a7b99b0a470522e1a733e442dceff919
SHA17c904c6830c90f1f6ef22e56b0a5b1277edca724
SHA256f77a1935a4328ec2bdea1c90efb142d33dd938c3e08e4a870af9843878200230
SHA512515423808ef21ec537f31ffe0b2f46b6d345200278094ab9c97637e04131e2a638b08ba3d972bd0de9aea45d252bcdeb970fb4dfa4979c564b70bbabd19f5c7a
-
Filesize
8B
MD552900302fffb9dbac2088f916e57691b
SHA1b0c093c5b7ed141e6c22eeef539bcfd81169516e
SHA256fc3ffda18ccd8e96d048e6285b2786706f6c12f012dfe49c661d8d19aaaa80bd
SHA512d88f981381f28cbfba543b525e721eecdbda71e0abf1f2d55b25ec61870be005d04dbe18bdc7ded86e9cbad784933a1e828abc85a87e15f8a76dcd13b31b2095
-
Filesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
Filesize
12B
MD5e48057c3603c907cacbe1568a7dbfc41
SHA16e100086b53e20e499a9be069aa1b452faf82ba3
SHA2564b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a
-
Filesize
267B
MD57b4d65f0aaf25e40dbdab6bfac220f7f
SHA12a4d4993b03f89f72a5dbd1385810af6da2ca988
SHA256042fc885e22b9e72ddda5efeaa8fc964b676ce4347b0ac83a87f3af7e1ec0d10
SHA512edb178c9f45bcc56e90662e5eaaa4e9a108401e20467de73c54aa3a05cee8433d9c3812342022569f128506bcb57536f94c0d7edfb9fd39339f4d2a550bff8cb