{
	"id": "85453377-3fc6-497f-995e-04e087e0429c",
	"created_at": "2026-04-06T00:07:11.891475Z",
	"updated_at": "2026-04-10T13:12:13.103645Z",
	"deleted_at": null,
	"sha1_hash": "cda12c75834e4d997887b3776fccdbbb250a9369",
	"title": "Manually unpacking Anubis APK",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58817,
	"plain_text": "Manually unpacking Anubis APK\r\nPublished: 2018-08-30 · Archived: 2026-04-02 12:06:59 UTC\r\nI’ve been seeing people talk about Anubis lately so I decided to take a look at it, unfortunately these led me to a\r\nwhole bunch of packed APK files. Obviously there are blog posts describing the unpack files but all the hashes are\r\nleading me to the packed versions. So what do you do in this situation? Well you learn how to search basically,\r\njust like you have to learn how to use your favorite search engine if you have a virustotal account you end up\r\nhaving to figure out how to search for whatever you’re looking for. Take a look at the jadx-gui picture in this\r\nphishlabs writeup[1], in this writeup we can see a number of strings but if we search for the twitter address on\r\nVirusTotal[2] then we come up with a number of classes.dex files.\r\nSearching for the twitter address from the aforementioned writeup leads us to a number of dex files in VirusTotal\r\nWe can then pivot backwards from this file to see where this dex file came from by utilizing the ITW(In The Wild)\r\ntab which will show that it came from a file bundle.\r\nThis file bundle is just a zipped up classes.dex file, using the ITW tab again we see it was created during the\r\nexecution of another file.\r\nThis parent file is an APK with a similar looking obfuscation as the other files I had looked at from reading\r\nreports! So these obfuscated APKs are creating these Anubis DEX files which is actually a common occurrence\r\nwith packed APK files that keep an encoded DEX file on board as a resource.\r\nAnother hint that this is packed is by taking a look at the manifest inside this APK.\r\nWe can see lots of referenced code in the manifest which doesn’t actually exist in the current decompiled DEX\r\nfile, this is another very big indicator that we’re dealing with an encoded DEX file in this APK. So the idea is that\r\ninitial execution in this APK will decode the hidden classes.dex file and replace the current one with that one.\r\nSince the resources has a file called ‘files’ which is just binary data I assume all my theories up until now are true,\r\nwe could then just execute the APK and catch the decoded classes.dex file like how sandboxes do but that’s not\r\nreally any fun.\r\nSo a few possible ways to attack finding the relevant code section that will be responsible for decoding the dex\r\nfile, we can trace execution through the obfuscated code of the current dex file and look for possibilities or\r\ninteresting functions, you can look for where the resource object gets loaded and then trace that, or you can just\r\nblindly look for functions that might appear to be doing something interesting and then backtrack. You’d actually\r\nbe surprised how often number 3 works after you have a few years experience with reverse engineering malware.\r\nFor this one however because of all the garbage code that’s been addded I just literally searched the decompiled\r\ncode for “^ “ and ended up finding an interesting little function that was being called with an array of integers over\r\nand over again by the int values were changing(obfuscated strings?).\r\nhttps://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html\r\nPage 1 of 4\n\nIf you’ve spent much time reversing encoding and encryption algorithms you might recognize the general flow of\r\nthat code block but I won’t ruin the surprise for now for the rest of you.\r\nBacktracking we can see this function and others named the same, this is basically an overloaded function which\r\ncan make tracing execution a little painful as you have to match up which function does what based on which\r\nparameters are passed. Ofcourse since there’s garbage code and obfuscation that can be easier said than done\r\nsometimes.\r\nSo this function takes an array and then it sets the byte array that it ends up XORing so what is this\r\n‘OAeAqJYuzXcD’? Searching for it shows that it’s built as a byte array.\r\nThe value being passed in for the length of the array is 256 so this a byte array of length 256. Searching for this\r\narray some more shows that it’s also used with the same 256 value and filled with data based on a byte array\r\npassed in. So this looks like it’s building an SBOX similar to RC4. Looking for how this all gets called shows that\r\nit ends up being called near the top of the ‘com.lpapxwl.bemtobai.SVBkpSlwf’ class.\r\nWe can continue to follow that plus the previously identified function that was XORing the SBOX back to a\r\nsection of code near the top of the same code page.\r\nWhat stands out there is that another 256 byte array is being built and then passed in to the ‘dlPiWCFOIB’\r\nfunction and then passed into the overloaded function that builds the SBOX like we previously found. Looking up\r\nthe ‘dlPiWCFOIB’ function shows that it is initializing the SBOX.\r\nSo could the array of integers at the top of the decoding overview screenshot be the RC4 key then? Let’s test it on\r\nthe binary data blob we found in the resources.\r\n\u003e\u003e\u003e a = \"(byte) 75, (byte) 41, (byte) -22, (byte) 1, (byte) -99, (byte) -118, (byte) 73, (byte) 34, (byte) 71,\r\n\u003e\u003e\u003e a.split('(byte) ')\r\n['', '75, ', '41, ', '-22, ', '1, ', '-99, ', '-118, ', '73, ', '34, ', '71, ', '-89, ', '-26, ', '11, ', '-21,\r\n\u003e\u003e\u003e b = a.split('(byte) ')\r\n\u003e\u003e\u003e b\r\n['', '75, ', '41, ', '-22, ', '1, ', '-99, ', '-118, ', '73, ', '34, ', '71, ', '-89, ', '-26, ', '11, ', '-21,\r\n\u003e\u003e\u003e b = b[1:]\r\n\u003e\u003e\u003e b\r\n['75, ', '41, ', '-22, ', '1, ', '-99, ', '-118, ', '73, ', '34, ', '71, ', '-89, ', '-26, ', '11, ', '-21, ',\r\n\u003e\u003e\u003e b[-1].split(',')\r\n['-95']\r\n\u003e\u003e\u003e map(lambda x: x.split(', '),b)\r\n[['75', ''], ['41', ''], ['-22', ''], ['1', ''], ['-99', ''], ['-118', ''], ['73', ''], ['34', ''], ['71', ''],\r\n\u003e\u003e\u003e map(lambda x: x.split(', ')[0],b)\r\n['75', '41', '-22', '1', '-99', '-118', '73', '34', '71', '-89', '-26', '11', '-21', '24', '-108', '-24', '24',\r\n\u003e\u003e\u003e c = map(lambda x: x.split(', ')[0],b)\r\n\u003e\u003e\u003e c\r\n['75', '41', '-22', '1', '-99', '-118', '73', '34', '71', '-89', '-26', '11', '-21', '24', '-108', '-24', '24',\r\n\u003e\u003e\u003e map(int,c)\r\n[75, 41, -22, 1, -99, -118, 73, 34, 71, -89, -26, 11, -21, 24, -108, -24, 24, 89, 20, 91, -49, 104, -99, -16, 27\r\nhttps://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html\r\nPage 2 of 4\n\n\u003e\u003e\u003e d = map(int,c)\r\n\u003e\u003e\u003e map(lambda x: x \u0026 0xff, d)\r\n[75, 41, 234, 1, 157, 138, 73, 34, 71, 167, 230, 11, 235, 24, 148, 232, 24, 89, 20, 91, 207, 104, 157, 240, 27,\r\n\u003e\u003e\u003e e = map(lambda x: x \u0026 0xff, d)\r\n\u003e\u003e\u003e map(chr,e)\r\n['K', ')', '\\xea', '\\x01', '\\x9d', '\\x8a', 'I', '\"', 'G', '\\xa7', '\\xe6', '\\x0b', '\\xeb', '\\x18', '\\x94', '\\xe8\r\n\u003e\u003e\u003e ''.join(map(chr,e))\r\n'K)\\xea\\x01\\x9d\\x8aI\"G\\xa7\\xe6\\x0b\\xeb\\x18\\x94\\xe8\\x18Y\\x14[\\xcfh\\x9d\\xf0\\x1bI\u0026\\x85\\xc4\\x0e\\xb9\\xfcf\\xa0%.\\x9b\\x\r\n\u003e\u003e\u003e f = ''.join(map(chr,e))\r\n\u003e\u003e\u003e rc4 = ARC4.new(f)\r\n\u003e\u003e\u003e rc4.decrypt(data)[:500]\r\n'\\x88P\\xe3\"\\x8d\\xfa{A\\x9d\\xe2\\xf3\\xd67\\x80\\x0f(\\xfc\\xf8\\'\\xff\\xe7\\xf9Ul\\xff\\x9b\\x9eQ{\\xa1\\xde\\xad6\\xd1\\xb0Y9\\xf9\r\nWell that didn’t work, so let’s take a look at the binary data a little closer.\r\n\u003e\u003e\u003e data[:100]\r\n'\\x9a\\xb8\\x01\\x00B\\xa3\\xe1\u0026\\xdbY\\x9agN\\xbb\\xc44vv\\x8ch?\\x12\\x89/\\xd9\\xeb(N\"p\\xbd\\x1fY\\xd1\\x00\\xde\\x0es\\xc3\\xe2D\\\r\n\u003e\u003e\u003e import struct\r\n\u003e\u003e\u003e struct.unpack_from('\u003cI', data)\r\n(112794,)\r\n\u003e\u003e\u003e len(data)\r\n225596\r\nIt’s definately possible, so let’s try decrypting past that.\r\n\u003e\u003e\u003e rc4 = ARC4.new(f)\r\n\u003e\u003e\u003e rc4.decrypt(data[4:])[:500]\r\n'PK\\x03\\x04\\x14\\x00\\x00\\x00\\x08\\x00\\xad\\x85\\x0fMGt\\xb5\\x9c\"\\xb8\\x01\\x00\\xf4\\r\\x04\\x00\\x0b\\x00\\x00\\x00classes.dex\r\nA quick look at the decoded dex file shows lots of interesting data including our twitter string from earlier.\r\nLooking around at some of the other code shows a few interesting routines.\r\nSo going off prior research into Anubis we know that the twitter data is then base64 decode to a hexlified string,\r\nso let’s find where that twitter string gets used.\r\nHere we can see the twitter string being used along with it referencing the tags for pulling out the data, following\r\none of the later function calls if we're assuming it's first going to base64 decode and unhexlify leads us to the\r\nfollowing function.\r\nSo could this be the RC4 key then? Let’s test with the hexlified string from the phishlabs report.\r\n\u003e\u003e\u003e m = \"3090c08a8f3c3950d98c612399622d02057bce22a5b8b01e4dc3960fa03648c822f3\"\r\n\u003e\u003e\u003e a = binascii.unhexlify(m)\r\nhttps://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html\r\nPage 3 of 4\n\n\u003e\u003e\u003e a\r\n'0\\x90\\xc0\\x8a\\x8f\u003c9P\\xd9\\x8ca#\\x99b-\\x02\\x05{\\xce\"\\xa5\\xb8\\xb0\\x1eM\\xc3\\x96\\x0f\\xa06H\\xc8\"\\xf3'\r\n\u003e\u003e\u003e l = ARC4.new('flash1')\r\n\u003e\u003e\u003e w = l.decrypt(a)\r\n\u003e\u003e\u003e w\r\n'hxxps://lukasstefankotiywlepok.com'\r\nIt works! That’s it, hope it helps! For further reading I’ve included a number of references to android unpacking\r\narticles.\r\nSource: https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html\r\nhttps://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html"
	],
	"report_names": [
		"Unpacking-Anubis-APK.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434031,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cda12c75834e4d997887b3776fccdbbb250a9369.pdf",
		"text": "https://archive.orkl.eu/cda12c75834e4d997887b3776fccdbbb250a9369.txt",
		"img": "https://archive.orkl.eu/cda12c75834e4d997887b3776fccdbbb250a9369.jpg"
	}
}