Resubmissions
15-05-2023 13:16
230515-qh2mhadh4y 1015-05-2023 13:09
230515-qd7b7afe46 1022-12-2022 10:46
221222-mt6h2she4s 810-01-2022 13:52
220110-q6w2xsefbq 10Analysis
-
max time kernel
529582s -
max time network
150s -
platform
android_x64 -
resource
android-x64-arm64-20220823-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system -
submitted
15-05-2023 13:16
Static task
static1
Behavioral task
behavioral1
Sample
6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a.apk
Resource
android-x64-20220823-en
Behavioral task
behavioral2
Sample
6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a.apk
Resource
android-x64-arm64-20220823-en
General
-
Target
6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a.apk
-
Size
3.3MB
-
MD5
8ca486570b19cc54f9c32a8e76470512
-
SHA1
4396a2c67dae81a4c8d9dd6b790a832e1b8828ec
-
SHA256
6a770d4c5ba6ec625850de3ba3bd6310d86c229b6bccb50b09a54d3ec038cc1a
-
SHA512
6c60e5e8f9850dfa5fac9dfd04768665aca7835a04a4a85f94e2557df952f3a044a1dede341bbbdb4d94894e74b5cd39486e81f3104f99794f7640502bf8634b
-
SSDEEP
49152:wrUHKdXkwog2tPajlu95sb9z1p/MUL+geWaOiNGyahG/5rovr/OIZKDLzFGih/P:Gp6spVz1p/FL+caNGyahGkr/ncDLzlP
Malware Config
Extracted
ginp
2.8e
mp6
http://closedcloset.top/
http://insideluck.cc/
-
uri
api202
Extracted
ginp
http://closedcloset.top/api202/
http://insideluck.cc/api202/
Signatures
-
Ginp
Ginp is an android banking trojan first seen in mid 2019.
-
Makes use of the framework's Accessibility service. 3 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId someone.audit.crawl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText someone.audit.crawl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId someone.audit.crawl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
description ioc Process Framework service call android.content.pm.IPackageManager.getInstalledApplications someone.audit.crawl -
Acquires the wake lock. 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock someone.audit.crawl -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json 4291 someone.audit.crawl /data/user/0/someone.audit.crawl/app_DynamicOptDex/cZf.json 4291 someone.audit.crawl -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS someone.audit.crawl
Processes
-
someone.audit.crawl1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4291
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD56c28bd2b1d1983c4d560cc6c72a26e1c
SHA1eb212ea0794609c98812ff8bd5fec0a094c6ecf6
SHA256013e1afe493332baa48d16230678463f60c603b1e6b808b371b20d1bfbf27435
SHA512c252ebc9c33fa377fcb8955c420dbdffd693110303f560e4b5b2896ad6712dac9ff619e456985f2ed973a9ed8fb0d339bf80e8d17120f0e74842553a87bfa164
-
Filesize
246KB
MD50bb2f793db509eeb9b64b2e7dbadb3b0
SHA1b0a08381dbec074b669e8a13990be9450f0c8c9f
SHA2562777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00
SHA512472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf
-
Filesize
246KB
MD50bb2f793db509eeb9b64b2e7dbadb3b0
SHA1b0a08381dbec074b669e8a13990be9450f0c8c9f
SHA2562777d7506b8afdf6dfea88a03dcc35e8b046eb8d0a6b796b2b02b1a321de3a00
SHA512472369787b7257937120682168624b2c094733572d02392ca7fbb9954afe00035a3b69e7848d501476d7e76513699f4493392422b74b5e2553535c2bab1acfbf