Anubis Malware Internals

Static and Dynamic Analysis of Pandemi Destek App.

Introduction
Recently sample of Anubis malware has arrived at malware bazaar and shared by our friend Arkbird_SOLG. Following the most recent sample submitted on bazaar of Anubis we had decided to reverse it. Thanks to our friend Arkbird_SOLG for the sample !! So, let’s dig in !

Analysis of “Pandemi Destek”

It’s the Fake App/Anubis Malware CopyCat of T.C Ministry of Health Ankara City Hospital App.

Static Analysis:~

Hash’s:

Information about app :

Certificate Info:

App Permissions:

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged. It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] . Moreover , it has weak hash’s and also stores the sensitive information of user in plaintext.

URLs:

Email:

Dynamic Analysis:~

Running app dynamically on emulator [ android VM ] . it popup with this sending the SMS using “prison.cause.tattoo.SendSms”.

Base64 decoding:

Around 105 entries re being decoded from app. Some of them are:

Binder:

URLs:

Emails:

Logs:

Conclusion
Lots of app on Google Play Store are being malicious. That’s why it had become problematic even “Google LLC” being actively improving the disinfecting the malicious intent of threat actors.

That’s all for today.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.