Resubmissions

15-05-2023 13:16

230515-qh2mhadh4y 10

15-05-2023 13:09

230515-qd7b7afe46 10

22-12-2022 10:46

221222-mt6h2she4s 8

10-01-2022 13:52

220110-q6w2xsefbq 10

Analysis

  • max time kernel
    529582s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20220823-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
  • submitted
    15-05-2023 13:16

General

  • Target

    6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a.apk

  • Size

    3.3MB

  • MD5

    8ca486570b19cc54f9c32a8e76470512

  • SHA1

    4396a2c67dae81a4c8d9dd6b790a832e1b8828ec

  • SHA256

    6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a

  • SHA512

    6c60e5e8f9850dfa5fac9dfd04768665aca7835a04a4a85f94e2557df952f3a044a1dede341bbbdb4d94894e74b5cd39486e81f3104f99794f7640502bf8634b

  • SSDEEP

    49152:wrUHKdXkwog2tPajlu95sb9z1p/MUL+geWaOiNGyahG/5rovr/OIZKDLzFGih/P:Gp6spVz1p/FL+caNGyahGkr/ncDLzlP

Malware Config

Extracted

Family

ginp

Version

2.8e

Botnet

mp6

C2

http://closedcloset.top/

http://insideluck.cc/

Attributes
  • uri

    api202

Extracted

Family

ginp

C2

http://closedcloset.top/api202/

http://insideluck.cc/api202/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

  • Makes use of the framework's Accessibility service. 3 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

Processes

  • someone.audit.crawl
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4291

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

    Filesize

    246KB

    MD5

    6c28bd2b1d1983c4d560cc6c72a26e1c

    SHA1

    eb212ea0794609c98812ff8bd5fec0a094c6ecf6

    SHA256

    013e1afe493332baa48d16230678463f60c603b1e6b808b371b20d1bfbf27435

    SHA512

    c252ebc9c33fa377fcb8955c420dbdffd693110303f560e4b5b2896ad6712dac9ff619e456985f2ed973a9ed8fb0d339bf80e8d17120f0e74842553a87bfa164

  • /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

    Filesize

    246KB

    MD5

    0bb2f793db509eeb9b64b2e7dbadb3b0

    SHA1

    b0a08381dbec074b669e8a13990be9450f0c8c9f

    SHA256

    2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00

    SHA512

    472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf

  • /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

    Filesize

    246KB

    MD5

    0bb2f793db509eeb9b64b2e7dbadb3b0

    SHA1

    b0a08381dbec074b669e8a13990be9450f0c8c9f

    SHA256

    2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00

    SHA512

    472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf