Anubis Malware Internals

Static and Dynamic Analysis of Pandemi Destek App.

Introduction
Recently sample of Anubis malware has arrived at malware bazaar and shared by our friend Arkbird_SOLG. Following the most recent sample submitted on bazaar of Anubis we had decided to reverse it. Thanks to our friend Arkbird_SOLG for the sample !! So, let’s dig in !

Here’s the java code of Anubis based malicious app.

Analysis of “Pandemi Destek”

It’s the Fake App/Anubis Malware CopyCat of T.C Ministry of Health Ankara City Hospital App.

Real App of T.C. Ministry of Health Ankara City Hospital App.

Static Analysis:~

Hash’s:

Hash’s of Pandemi Destek 1.0.

Information about app :

info. of App.

Certificate Info:

Certificate Information shows 2 false signature.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged. It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] . Moreover , it has weak hash’s and also stores the sensitive information of user in plaintext.

URLs:

URLs found during static analysis of app.

Email:

Dynamic Analysis:~

Running app dynamically on emulator [ android VM ] . it popup with this sending the SMS using “prison.cause.tattoo.SendSms”.

screenshot of running app dynamically in emulator.

Base64 decoding:

Around 105 entries re being decoded from app. Some of them are:

Base64 decoding.

Binder:

Binder has two activities in app.

URLs:

Urls found during dynamic analysis.

Emails:

Logs:

Conclusion
Lots of app on Google Play Store are being malicious. That’s why it had become problematic even “Google LLC” being actively improving the disinfecting the malicious intent of threat actors.

That’s all for today.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store