> For the complete documentation index, see [llms.txt](https://cl4nd3st1ne.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/hack-the-box-anpu-walk-through.md).

# Hack The Box Anpu Walk-through

It is focused on investigating the effects of installing a malicious APK that the victim was sent via Discord under the guise of ‘Whatsapp Pro’.

We have been given the `/data` folder dump of the victim’s device and we need to timeline events in order to hunt for IOCs.

This is the first time I’m performing android forensics. I found the following resource quite useful:

[SANS Mobile Forensics Cheatsheet](https://raw.githubusercontent.com/dfircheatsheet/dfircheatsheet.github.io/main/resources/img/Mobile.pdf)

Tools Used:

1. [ALEAPP](https://github.com/abrignoni/ALEAPP)
2. [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)

***

**What is the package name of the malicious APK installed?**

It is the unusually named package in the `/data/data` folder.

**What application is used to deliver the malicious APK to the victim?**

It’s most probably going to be a messaging app. A few can be spotted in the `/data/data` folder. To get the exact one, grep for the malicious package. The result from the `usagestats` folder suggested that it’s Discord.

<figure><img src="/files/iDUGDXHhW5VaFymvBkHZ" alt=""><figcaption></figcaption></figure>

**What is the download URL for the application?**

Now that it is known that the file was shared via Discord, it makes sense to examine Discord’s data. In the file `/data/com.discord/files/kv-storage/@account.1260009116026540205/a` which is a SQLite DB, there is a messages table which contains the message the victim received as well as the URL.

**When did the malicious APK download finish (in UTC)?**

If we grep for the URL that was sent to the user via Discord, it can be seen that the URL appears in Chrome data as well. One of those results is the Chrome History file (`/data/com.android.chrome/app_chrome/Default/History`). This is a database of Downloads done using Chrome. Within it, the `downloads` table contains the timestamps.

**When did the malicious APK installation occur?**

For this, my first approach was the `Modify` timestamp from the output of stat on the path of the APK in `/data/app/` but that was incorrect.\
Another possibility was that, as seen in the `packages.xml` file, the Package Installer app was used to install the APK. But, on checking its data folder no database files were to be found.\
Finally, I learnt that `packages.xml` itself contains timestamps related to package installation time, but they are in hex representation of epoch milliseconds. The following command can be used to convert it to UTC:

`hex="1909fa2050b"; date -u -d @$(echo "$((0x$hex))/1000" | bc)`

Using ALEAPP it can be found in the Packages menu.

<figure><img src="/files/3FK36tCtezgcFVLheVpp" alt=""><figcaption></figcaption></figure>

**How many permissions has the malicious application been granted during runtime?**

This can be determined from the `/system/users/0/runtime-permissions.xml` file:

<figure><img src="/files/YAlUtgxDhD7VyH7R3jkD" alt=""><figcaption></figcaption></figure>

It can be found in the Runtime Permissions section in ALEAPP too.

**How long has the malicious application been idle on the system? (in minutes, ignore fractions)**

Refer to the `elapsedIdleTime` parameter in the app’s section in the `/data/system/users/0/app_idle_stats.xml` file.

**When was the last time the malicious application was active? (in UTC)**

The last time the app sent a notification would be the last time it was active. The `/data/system/notification_log.db` file contains this data but it is quite difficult to understand. ALEAPP can parse this DB:

<figure><img src="/files/4Lf4ARDR9KFBoBPhUcPt" alt=""><figcaption></figcaption></figure>

**The malicious application appears to be spamming notifications, causing the victim to mute them. When was the last notification sent before the victim muted it? (in UTC)**

In the file `/data/system/notification_log.db`, there is a column `muted`. Value 1 means notification is muted whereas 0 means not. Filtering the table with the package name and arranging the `when_ms` values in ascending order, the last value for which muted=0 is the last notification sent by the app before being muted.

<figure><img src="/files/63oNUJ4VMFIcnXGdTx8c" alt=""><figcaption></figcaption></figure>

**What is the configuration file that the malicious application created to store some data about its functionality?**

It is the file in the `shared_prefs` folder of the package.

**Within this file, there is an encrypted value associated with a field called “urlInj”. Analyze the application’s source code and identify the URL that corresponds to this encrypted string.**

Extracting the APK file from the `/data/app` folder, it can be analysed with MobSF. On downloading the Java Source code from there and looking for the string `urlInj` in it, the cleartext URL can be obtained.

<figure><img src="/files/LddGLueaUDlY6eFHxQwi" alt=""><figcaption></figcaption></figure>

I also ran this file through Virus Total as it’s always a good idea to find references for better analysis. It revealed that this malware belongs to the *Anubis* category.\
Since the code is highly obfuscated, [this blog](https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/) was quite helpful in understanding the capabilities of this malware type.

**According to the victim, the malicious application tried to load a web page when the notification was clicked. What is the name of the class that is responsible for this activity?**

I came to learn that notifications often contain a `PendingIntent` that launches an Activity. The possible approach is that the class is set as the `<intent-filter>` target in the manifest file and then clicking the notification will launch this class.\
While looking through the manifest file this specific activity seems suspicious due to the mention of *falcon* which is also a part of the extension of the encrypted files created by the malware (More on this later). It is used to handle links like `falconrender://` which might be launched at the click of its notification.

<figure><img src="/files/06Mhs9lC9gwTTexAGwUO" alt=""><figcaption></figcaption></figure>

**The malicious application creates a local socket that allows the threat actor to connect to the application and exchange data. What is the port number of this socket?**

<figure><img src="/files/x04fIfZRg9l1olPfC9eJ" alt=""><figcaption></figcaption></figure>

**The malicious application appears to have file encryption capabilities. What is the file extension that results from the encryption process?**

<figure><img src="/files/yhzAxe3MyJl5IKkstydJ" alt=""><figcaption></figcaption></figure>

**The malicious application requests permission to read contacts, indicating a high probability of contact theft. What is the endpoint that the malicious application is sending the contact data to?**\
The base64 encoded string here is the endpoint:

<figure><img src="/files/bnzxkh0asBxu2SMDC6jX" alt=""><figcaption></figcaption></figure>

**When this APK was first seen in the wild? (in UTC)**

Uploading the APK to [Virus Total](https://www.virustotal.com/gui/file/d0e684dedd320a8b1838dab6c94e97384058fb18b831ceb3f479aea849d83811/details) will provide this detail.

***

That’s all! This Sherlock was a great way to understand how Mobile malwares operate. It also developed a greater understanding of the Android file system and its working.

<mark style="color:$info;">\[Originally Published on Aug 16, 2025]</mark>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/hack-the-box-anpu-walk-through.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
