ginp | 7970f77d8abcfbbc16157d92e25b72a0924af067afec4b41be8d64df9d94bbd3

Resubmissions

15-05-2023 13:26

230515-qpg7fadh7y 10

16-04-2021 13:12

210416-zkqwzxaw7j 10

Analysis

max time kernel
530144s
max time network
149s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
15-05-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7970f77d8abcfbbc16157d92e25b72a0924af067afec4b41be8d64df9d94bbd3.apk
Size

2.4MB
MD5

1f0e4bab258a2d3f5bc1148c7e90558f
SHA1

906b985c2826b0a9f8a7617a7c5305a0a9c7e742
SHA256

7970f77d8abcfbbc16157d92e25b72a0924af067afec4b41be8d64df9d94bbd3
SHA512

9ce0b61ef0cd95ab29a11ebe12676ba2fb02dfff3acf929ff2930f94b5ba260cd383739ef7e45a94c41d45c1fd3d3e235f3182e3fafbe2fc525caf6712c63123
SSDEEP

49152:2BQO2V821lTHU/jkkfLKKW2CL9WPn+PMlhgQA0sp33wYzTG:NZaaTHmjk0LKKW9L9W2AhgxHp33wYzTG

Score

10^/10

ginp mp51 banker evasion infostealer trojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp51

http://kingsallivan.top/

http://silverball.cc/

Attributes

uri
api201

Extracted

Family

ginp

http://kingsallivan.top/api201/

http://silverball.cc/api201/

Signatures

Ginp
Ginp is an android banking trojan first seen in mid 2019.
banker trojan infostealer ginp

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	dove.stamp.car
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	dove.stamp.car
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	dove.stamp.car

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	dove.stamp.car

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	dove.stamp.car

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json	4042	dove.stamp.car
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json	4069	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/dove.stamp.car/app_DynamicOptDex/oat/x86/dFeJS.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json	4042	dove.stamp.car

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	dove.stamp.car

dove.stamp.car
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:4042
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/dove.stamp.car/app_DynamicOptDex/oat/x86/dFeJS.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4069

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json

Filesize
452KB

MD5
fe241a1ec5210ac6c9e30132a332abdf

SHA1
fb580f40dd554eb76ed54597142212450f71603f

SHA256
0578313a15f52a3f68cf5c19cac9515cc38523eb70aa3f063549ca34f2741fc3

SHA512
88593bf4ba703dcbbd070aefc973bfc3106ca92c508ff9a5e2a9459341fee7c4e72d568db4a5ec85386acfe4e84ccbd4e578448ff277f841430fbb0bff410b0d

Download Submit
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json

Filesize
452KB

MD5
05688cbaafa85a19456ffa0a55489320

SHA1
47dc98e32fe01c9c4355bc49dd5ff3387c1baf31

SHA256
4d37221e4697d4b22acb0a48aa73617993a3113dd439c358dc67f05a21010745

SHA512
97ac4110f97eedc1ea9f9c9b51d916982e578fa2e7efeb83fd857915ee81bee0251c2d90ea1c00fe5bfd94fbe0c3bdfb797a2668ed48a6dc0bff173a77c05ccd

Download Submit
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json

Filesize
452KB

MD5
90a2ddd9d7c7fdf0ed0d10f1b16b2302

SHA1
6ebeab9734b8d59fa439779642b5a1aee9f1aea5

SHA256
ea8aa9b49f317c0994cdc2e85c1e0b7cc70d27c9bc8deb0cceadd6c739cced91

SHA512
d2293519948bf7f2e629eba8dce246e5b15894fbbff0d0a5b8772d47723e7d58f68ac00b85c81ceb216999e3cef720bb98a1ddfcbffd24e0bd3f8d74f87a0d5c

Download Submit
/data/user/0/dove.stamp.car/app_DynamicOptDex/dFeJS.json

Filesize
452KB

MD5
05688cbaafa85a19456ffa0a55489320

SHA1
47dc98e32fe01c9c4355bc49dd5ff3387c1baf31

SHA256
4d37221e4697d4b22acb0a48aa73617993a3113dd439c358dc67f05a21010745

SHA512
97ac4110f97eedc1ea9f9c9b51d916982e578fa2e7efeb83fd857915ee81bee0251c2d90ea1c00fe5bfd94fbe0c3bdfb797a2668ed48a6dc0bff173a77c05ccd

Download Submit
/data/user/0/dove.stamp.car/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/dove.stamp.car/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
1b9f14a8f3e69c31230c03c81729d7a2

SHA1
072f4e9def15939e2defdd39dd128c5c8eb17907

SHA256
5a06da91b4796c979bf15dc4f2e58a626d36a9c307de96f2d9f8a68149c54bf4

SHA512
f7716f59ef3a3e5cb1fc6545a80ce984f932ddb41eab6adddcfdc930a91d58a159e2eab210b9b127ce8e0b18a7d634a1250efb44536089163dc240d78043148b

Download Submit
/data/user/0/dove.stamp.car/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
8b6957b810b74e3f59e4e257b2a51d21

SHA1
d60d14e1dea10811c442e2b269e83464378ab1a5

SHA256
6bcd1f1e92094b3720ca38102c2eaf7a95fcdb1ec18672bc244560be6025bfbd

SHA512
bbc1b9bfb0e2b98ef30f9b5c213366814446b28385a7aa0f67dc88ea029b52e55cab95b35bbfbad17cb730eea55f7082e5d1da2f06173581ce9cc958c301a414

Download Submit
/data/user/0/dove.stamp.car/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/dove.stamp.car/app_webview/Web Data-journal

Filesize
1KB

MD5
805e038a9069b277187ef27468b266f2

SHA1
8d4c899122577b40fe95fc7234a5d9f381736723

SHA256
8b5c3b8ad38e406e64d41040ef19028d7cdc05366708739d626423b05c80105b

SHA512
fbcb97e5c9a0a133daeb8b92d0b585c0c431317cc019e731ff9230466329f99b13ad52e878bed55f746c6d4c14f672114519131b4356bcf4b112fec8e0e14817

Download Submit
/data/user/0/dove.stamp.car/app_webview/metrics_guid

Filesize
36B

MD5
df7d538a1e3b1b978edd3f66b0723f71

SHA1
669fb404ca3f3904572c849415f4e2a139a024a0

SHA256
c33aa0a3d1f44801df4b07a68f3e471336d40b947eb209d50cf6fe2bcfee1154

SHA512
88dadc62da3b92a77fe835eb68590d5bdb17c341035b2d48fd8e764afe2962c4c67cf9c643870ab0b758d036d7011788e53826bddc8e3166d0e3acf88f4774cb

Download Submit
/data/user/0/dove.stamp.car/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads