Analysis Overview
score
10/10
SHA256
6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a
Threat Level: Known bad
The file 6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a was found to be: Known bad.
Malicious Activity Summary
Ginp
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Requests dangerous framework permissions
MITRE ATT&CK Matrix
N/A
Analysis: static1
Detonation Overview
Reported
2022-01-10 13:52
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-10 13:52
Reported
2022-01-10 13:59
Platform
android-x64-arm64
Max time kernel
1145681s
Max time network
80s
Command Line
someone.audit.crawl
Signatures
Ginp
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json | N/A | N/A |
| N/A | /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json | N/A | N/A |
Processes
someone.audit.crawl
Network
| Country | Destination | Domain | Proto |
| US | 172.217.168.206:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 142.251.36.42:443 | udp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.250.179.136:443 | tcp | |
| US | 142.251.36.42:443 | udp | |
| US | 142.251.39.110:443 | udp | |
| NL | 142.250.179.131:443 | tcp | |
| NL | 142.250.179.166:80 | ad.doubleclick.net | tcp |
| US | 142.251.36.36:443 | udp | |
| NL | 142.250.179.200:443 | tcp | |
| US | 142.251.36.42:443 | tcp | |
| US | 142.251.36.42:443 | udp | |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| NL | 142.250.179.131:443 | udp | |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| NL | 142.250.179.174:443 | tcp | |
| US | 142.251.39.99:443 | tcp | |
| US | 142.251.39.99:443 | tcp | |
| US | 142.251.39.99:443 | tcp | |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | insideluck.cc | tcp |
| HK | 8.210.171.34:80 | tcp |
Files
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json
| MD5 | 0bb2f793db509eeb9b64b2e7dbadb3b0 |
| SHA1 | b0a08381dbec074b669e8a13990be9450f0c8c9f |
| SHA256 | 2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00 |
| SHA512 | 472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf |
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json
| MD5 | 0bb2f793db509eeb9b64b2e7dbadb3b0 |
| SHA1 | b0a08381dbec074b669e8a13990be9450f0c8c9f |
| SHA256 | 2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00 |
| SHA512 | 472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf |