ginp | 6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a

Resubmissions

15-05-2023 13:16

230515-qh2mhadh4y 10

15-05-2023 13:09

230515-qd7b7afe46 10

22-12-2022 10:46

221222-mt6h2she4s 8

10-01-2022 13:52

220110-q6w2xsefbq 10

Analysis

max time kernel
529582s
max time network
150s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
15-05-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a.apk
Size

3.3MB
MD5

8ca486570b19cc54f9c32a8e76470512
SHA1

4396a2c67dae81a4c8d9dd6b790a832e1b8828ec
SHA256

6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a
SHA512

6c60e5e8f9850dfa5fac9dfd04768665aca7835a04a4a85f94e2557df952f3a044a1dede341bbbdb4d94894e74b5cd39486e81f3104f99794f7640502bf8634b
SSDEEP

49152:wrUHKdXkwog2tPajlu95sb9z1p/MUL+geWaOiNGyahG/5rovr/OIZKDLzFGih/P:Gp6spVz1p/FL+caNGyahGkr/ncDLzlP

Score

10^/10

ginp mp6 banker evasion infostealer trojan

Malware Config

Extracted

Family

ginp

Version

2.8e

Botnet

mp6

http://closedcloset.top/

http://insideluck.cc/

Attributes

uri
api202

Extracted

Family

ginp

http://closedcloset.top/api202/

http://insideluck.cc/api202/

Signatures

Ginp
Ginp is an android banking trojan first seen in mid 2019.
banker trojan infostealer ginp

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

someone.audit.crawl

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	someone.audit.crawl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	someone.audit.crawl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	someone.audit.crawl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

someone.audit.crawl

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications someone.audit.crawl
Acquires the wake lock. 1 IoCs

Processes:

someone.audit.crawl

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock someone.audit.crawl

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	someone.audit.crawl

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	someone.audit.crawl

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

someone.audit.crawl

ioc	pid	process
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json	4291	someone.audit.crawl
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json	4291	someone.audit.crawl

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

someone.audit.crawl

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS someone.audit.crawl

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	someone.audit.crawl

someone.audit.crawl
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4291

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

Filesize
246KB

MD5
6c28bd2b1d1983c4d560cc6c72a26e1c

SHA1
eb212ea0794609c98812ff8bd5fec0a094c6ecf6

SHA256
013e1afe493332baa48d16230678463f60c603b1e6b808b371b20d1bfbf27435

SHA512
c252ebc9c33fa377fcb8955c420dbdffd693110303f560e4b5b2896ad6712dac9ff619e456985f2ed973a9ed8fb0d339bf80e8d17120f0e74842553a87bfa164

Download Submit
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

Filesize
246KB

MD5
0bb2f793db509eeb9b64b2e7dbadb3b0

SHA1
b0a08381dbec074b669e8a13990be9450f0c8c9f

SHA256
2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00

SHA512
472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf

Download Submit
/data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json

Filesize
246KB

MD5
0bb2f793db509eeb9b64b2e7dbadb3b0

SHA1
b0a08381dbec074b669e8a13990be9450f0c8c9f

SHA256
2777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00

SHA512
472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf

Download Submit
/data/user/0/someone.audit.crawl/app_DynamicOptDex/oat/cZf.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit