Anubis
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1532 | Archive Collected Data |
Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1] |
|
| Mobile | T1429 | Audio Capture | ||
| Mobile | T1616 | Call Control | ||
| Mobile | T1471 | Data Encrypted for Impact |
Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1] |
|
| Mobile | T1533 | Data from Local System |
Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][2] |
|
| Mobile | T1407 | Download New Code at Runtime | ||
| Mobile | T1629 | .003 | Impair Defenses: Disable or Modify Tools |
Anubis can modify administrator settings and disable Play Protect.[1] |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
Anubis has a keylogger that works in every application installed on the device.[1] |
| .002 | Input Capture: GUI Input Capture |
Anubis can create overlays to capture user credentials for targeted applications.[1] |
||
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1424 | Process Discovery | ||
| Mobile | T1636 | .003 | Protected User Data: Contact List | |
| Mobile | T1513 | Screen Capture | ||
| Mobile | T1582 | SMS Control | ||
| Mobile | T1418 | Software Discovery |
Anubis can collect a list of installed applications to compare to a list of targeted applications.[1] |
|
| Mobile | T1426 | System Information Discovery | ||
| Mobile | T1633 | .001 | Virtualization/Sandbox Evasion: System Checks |
Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[2] |
| Mobile | T1481 | .001 | Web Service: Dead Drop Resolver |
Anubis can retrieve the C2 address from Twitter and Telegram.[1][2] |