Analysis
-
max time kernel
22s -
max time network
121s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
06/03/2025, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
_9.3(2).apk
Resource
android-x64-arm64-20240910-en
General
-
Target
_9.3(2).apk
-
Size
4.9MB
-
MD5
aeea87cc55094fb9f5d4d5bd2e91351c
-
SHA1
7134e13600819dd66d03b9a49b84ce0b31ca65aa
-
SHA256
a7fc181b0d8626c3f6eaa0ae99520f2d3fb2d47543692d83fd9fc92906d76c7b
-
SHA512
09579970211fea258f3851036b1ac959663e3738ea3f44136d4b86bc61051cb99b2a7d4897056f6508be6c5a186b1ca7b5f8aec8d741426c43523e1f91d7a651
-
SSDEEP
98304:2N2grLR74A4nGkiQnT8bEo1um+z2BNS55pS:G2u8FnGkYbx+z+S55pS
Malware Config
Extracted
anubis
https://google.com
Signatures
-
Anubis banker
Android banker that uses overlays.
-
Anubis family
-
pid Process 4788 com.tencent.mm 4788 com.tencent.mm 4788 com.tencent.mm -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml 4788 com.tencent.mm /data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml 4788 com.tencent.mm -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.tencent.mm -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/data/phones com.tencent.mm -
Reads the content of the calendar entry data. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.calendar/events com.tencent.mm -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.tencent.mm -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the calendar entry data.
- Reads the content of the call log.
- Requests cell location
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Schedules tasks to execute at a specified time
PID:4788
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Input Injection
1Discovery
Location Tracking
1Software Discovery
1Security Software Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.8MB
MD562823ae8e9a6826a4f8e2a33f28e32c7
SHA17f6660fd1fcbc74c7961b9d528f97e0accd6eb0b
SHA2562bd6501deca13a36f2b1617f1c56617fdc896db0983d0ba916539f6041d32e25
SHA5127bfc6e31c3f9473c823bada50fc97a7510701ee28060948b26d0780b692bc5bd5c5a2b4ee9b9992ec74d459eb197f400856d91a9c3a9d7fb2a083966c4c4322d
-
Filesize
32KB
MD51854505a3f6d683ed7eb81612934370c
SHA14f710add9a652d2fb92b7ce45589e27bf03f0b2a
SHA2568100330a266f3027b929ea1bde99440ce4a544c9d9a0abb2ef0d1a73aa4cd9a4
SHA512104a6e9c840b1fddd22ae579624a549c911abfbb48dc4454d3d231619c41a9abbf22f0dc5362a80c8c8245cc18566661f3645ac48c61259132886d4bf4678962
-
Filesize
512B
MD5a4eedbbe2c990a7416663a5bc56e198b
SHA18620a930c6efbcf96ab710f714e6d002e144199b
SHA256b03dfe5990abbe92cb58c7df1050c9bcdab68b9b087975ceaf696ae195222b08
SHA5129d424183711cc729d3506f5a5fea2e0e6aa370ff568c60e056219a20898ebdd9a7bb2f523a71721b3f3ab52d8737ea0b8f11ebccf4d5fb9405fa811502257f1f
-
Filesize
8KB
MD5f6d822ab28fe4bf478b92feecba5c823
SHA1b69ac792e9efc470b6f847ca1ab7bbb25d4dd688
SHA25645b623142006b08c5c95d3b5495b02109fd38dcf2179f43c00058519d1a1a47e
SHA512a2dbe5aef657b89d7d99f48845b04e1e653afe4b5d0c1f98627ecf009a21c32c7802311fd00ce10fd3ea3065e7accce637b7c3f7bc90b38607fb25bef432e9ef
-
Filesize
8KB
MD56e8d9bf576f49a00bf8023c3a51ab2a3
SHA1c96accc57612e0e97d67cf8995f0d18b1d713e7b
SHA25642e247c3596e22e47136a77de109ebc9c80fc8c8cf7a1c92f32eb7ace6d3b750
SHA512302e4cba806f7e2bbf045ba87c45a471319f1073e777b8c22f6aebad577bf60a2e4ecc5f91f54d5a89e446d17a5e89dfa46c1132c4e63fb7edde7db7e575b97d
-
Filesize
8KB
MD543ccbfa63620ae4bf83524196f33d0c4
SHA1c58e79ffbd0622d101bed9d32486faf82556c401
SHA25673e71f9c1844ad2528dfbc3242891afb52cd166dfb4d7b1359317948826325f5
SHA51281ad4c840777b110d4f2958a87d08e5ccdd3719d094d4c5ad8ba7e17ca44def562940c375906d5c4bb0dcf79e7da9b7cb868d4efe165a71b7913e721ce7b3b24
-
Filesize
8KB
MD520db31008bfa6441d1e52b78371b710a
SHA1f33ae429b5e40886d853939723e9a334905be594
SHA256a91f54b86fa483e097d709ee80091968ee81964bd81b40f70623849992b1ad92
SHA5128fd8b92d493e85b57bbc1ee60510b8b99149d98d32e35a4db2b9a29b1b8e83bb523857f197e7e7bc0db3004244f1874ad7cd34f03735d870e44acca9f795bc77
-
Filesize
16KB
MD59a0c54ca1efc028508781489b6120a74
SHA1ee693f1f2d2f88041ddc22ea53f0acf2effbf503
SHA256b9bb8ca379321100b988904e3d01a7651e146b9ba783196a3eb07e21be3aaa88
SHA512b37ea4ae3d85b0157b30bb99e7c00a55eb81b458dcdec991244e68822179391d2189823cc84e41bff27170d8a65a80726123e5bbcfccfe2653ac9e5bf4a4cf9e
-
Filesize
512B
MD524a28488a76dbf82634cbc3675813b96
SHA192f025bbd5bffc7775a0277df5ff248907277808
SHA256efd55f4fdd82d11556cf2ab6a66e813145a8ce783d14f7e39b2df9395a808a2a
SHA512c3c0852926b854be1bf622cc1feb664fffe0d630a9ec1db8c37637b25451d045ea6a5b91914644f57a337a2740171d536b09ef5193e9ac6bfe5b9258c704f22a
-
Filesize
8KB
MD579a1d07958cf926f5e1f9c67eae23495
SHA1d1be823b5f0b9a65ba9b1bff62ca79506e9c469f
SHA256f82feeaf97ccd101a0fbefe263d1a1a8b5ab8cc79854567ba66a6c1f8c2c4a6a
SHA51276f03cdd7ca2bcbe52ceda60d1751a5a93ff523846e43ea63ab6b1e5bb64c3c5d9fd2864ba7361f9f3d9dc9983b5a9a1c5fca436730d6379c765edd26f93488c
-
Filesize
8KB
MD51ddfde8583deed4ac791d6615db020d3
SHA191679c78960ac0e4d40d40981abdc669c512243e
SHA256d2367df09573cd4ded46bae675d70b3ebbd81c25b85bed6d4a7316dc39b628a2
SHA512ac8ef355599f78d0d0a13cd4c62123b858680471f3b272093f49dd661f69af1512f1ab34a1e80825a68a9ebf3474edb5100cdce6fd02b7a9c2a84150ca7ca936
-
Filesize
8KB
MD50cf2dc56e92f3da5641c4f5f2e018fae
SHA17229cad5e782c6e9059fbd7d4ec25ccb165cf13a
SHA25657683cb0e502f3afbbe82b89bc2a0b57759f5c3bd2b53341e0ba67132c9e7cb2
SHA512028ad4c2578010282b3b565538c82ad3189a1c89651bebdc96105074e5bf780a535b3b4a16397137dba09a69ee60cec286ef4bb0f0fbff7191fd70cf034ca1ec
-
Filesize
3B
MD558e0494c51d30eb3494f7c9198986bb9
SHA1cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA25637517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4
-
Filesize
108B
MD599f0fcbce93eb738356c3d7c841435cf
SHA10371700d16df2dd0e16e2e1ecccf123fa0f37af5
SHA256e401dc141e4bdb3ea32a5c0253072a140134d86312d5de7597b1b370eceeb510
SHA512d25ae2a8ce5710356beae49dfdf622e14170a723c04d095cfa9f6e76fb6dfdc56903e3bc0a7adfc9e8c1b660f6a22d4fbf39c5e2453e361782d044a62360a8dd
-
Filesize
566B
MD5472c3da6ebb0a9a3c5c9102865d18293
SHA109e39d67228a97898d152e997255d18d7e3319f5
SHA256dbcabf5331158f9fb43fef98bde7a70dc2fd185a06bf41b2c1aa4184cca2bf29
SHA51254624e780c81ede43d3818222ebc3d3d042798aeb8e56d917abec1b643a28cb21123234a36de033fe110cbe516eb13034664d93873c35de1d83510a71d653f2a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
854B
MD5f1804c30c1452fe93194043928a18b51
SHA1726cd54abe46e559c40585b2edf937eee4140f24
SHA256b4d94fb16cb692ccbe1f836d32c7db694f0d256c0e00887a6f2bd9aca16be09b
SHA51285043517ec2a97d546891ac0b2c432e2fc6fc8669bbf331ed2d457bb0e8ebf37c990c69427efca8809bf6ee2729fd5179919abf1239506d2e1495bd5f931952a
-
Filesize
854B
MD5e5ab676339a394de06429c48ce6999c2
SHA1c3b6519a67289be5837afe85e26c08856195d5ab
SHA2569de4162741ba4ed94c02e07eeb4cd2ad76e728d026f5676d9c4f5ce1c7ee301f
SHA512bdb68e7621c32678e3714e7986a19c74f5d0d803affffacf0e47d5527219b8ae575c4ce05c5cb02d95b5058e194bc647e566e444d7b20b560710edcdf8fb34a3
-
Filesize
10KB
MD59a00f751ec9161eea6173758a39cbb8e
SHA1c74ae019f5e5d460308b0c1716aee0587e05f397
SHA256f64d9bce250494b8d11b57bc5c2baca08694b39befee3e31a74e0191172108b4
SHA512c53ac74ee66d30ef43bf8fb4d729aa98a1cd1878a3ad3789456e2d7b590cbfda8745a95d9866bf68c53e3c8323b2430da81ceccd271011add21ef7370a6b50d1
-
Filesize
12B
MD5e48057c3603c907cacbe1568a7dbfc41
SHA16e100086b53e20e499a9be069aa1b452faf82ba3
SHA2564b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a
-
Filesize
267B
MD5d2126d9fc9e1ee250e0272ee7d6775b4
SHA1be81c76cb8c8cb20879582a38be90827feedcbee
SHA256dc91ac84aa21024b24a9133c035f36c9d39497738cfdf067155c45b293dc8942
SHA5123afa1210834d864df0fe48de8734f806c13b61c31824318377313c9bd69c84321fc0671c1ca29cf3b5971423c6457a50f9e80f4e008bcdd76c4ff73535aa5e70
-
Filesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574