Malware Analysis Report

2024-09-09 13:27

Sample ID 220110-q6w2xsefbq
Target 6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a
SHA256 6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a
Tags
ginp banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a

Threat Level: Known bad

The file 6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a was found to be: Known bad.

Malicious Activity Summary

ginp banker infostealer trojan

Ginp

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-10 13:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-10 13:52

Reported

2022-01-10 13:59

Platform

android-x64-arm64

Max time kernel

1145681s

Max time network

80s

Command Line

someone.audit.crawl

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json N/A N/A
N/A /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json N/A N/A

Processes

someone.audit.crawl

Network

Country Destination Domain Proto
US 172.217.168.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 142.251.36.42:443 udp
NL 142.250.179.138:443 tcp
NL 142.250.179.136:443 tcp
US 142.251.36.42:443 udp
US 142.251.39.110:443 udp
NL 142.250.179.131:443 tcp
NL 142.250.179.166:80 ad.doubleclick.net tcp
US 142.251.36.36:443 udp
NL 142.250.179.200:443 tcp
US 142.251.36.42:443 tcp
US 142.251.36.42:443 udp
HK 8.210.171.34:80 insideluck.cc tcp
NL 142.250.179.131:443 udp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
NL 142.250.179.174:443 tcp
US 142.251.39.99:443 tcp
US 142.251.39.99:443 tcp
US 142.251.39.99:443 tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 insideluck.cc tcp
HK 8.210.171.34:80 tcp

Files

/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

MD5 0bb2f793db509eeb9b64b2e7dbadb3b0
SHA1 b0a08381dbec074b669e8a13990be9450f0c8c9f
SHA256 2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00
SHA512 472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf

/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

MD5 0bb2f793db509eeb9b64b2e7dbadb3b0
SHA1 b0a08381dbec074b669e8a13990be9450f0c8c9f
SHA256 2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00
SHA512 472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf