Anubis Malware Internals-0x01

Static and Dynamic Analysis of “Pandemi Desteğini aktif et” App.


Few hours ago , on Twitter “Malware Hunter Team” had shared the link to app called “Pandemi Desteğini aktif et — 1.0". We decided to take a look on reversing it.

Here’s the java code of Anubis based malicious app.

Analysis of “Pandemi Desteğini aktif et”

It’s the Fake App/Anubis Malware CopyCat of “ e-Devlet Kapısı ” which is the e-Government Gateway services Android App of Turkish Government.

Real App of e-Devlet Kapısı.

Static Analysis:~


Hash’s of Pandemi Desteğini aktif et 1.0.

Information about app :

info. of App.

Certificate Info:

Certificate Information shows 2 false signature.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged. It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] and SSL. Moreover , it has weak hash’s and also stores the sensitive information of user in temp file and discloses the IP address of device.


URLs found during static analysis of app.


Secret Activities:

Secret Activities found during static analysis of app.

Services run by App:

Dynamic Analysis:~

Running app dynamically on emulator [ android VM ] .it popup with this sending the SMS using rare.ethics.across.kldqwysgkfcrmq.onHandleIntent.

screenshot of running app dynamically in emulator.


Urls found during dynamic analysis.




Threat Actors are being continuously targeting the citizens of Turkey and committing fake Apps relating to Turkish Government with in-build Anubis malware in malicious Apps.

0x00 blog of Anubis Malware Internal can be read from here:

That’s all for today.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.