ginp | f1625cee7ce79d2ee091fddf945521c71d2dd911af433ca428599fcd83fbf040

Analysis

max time kernel
4214960s
max time network
170s
platform
android_x64
resource
android-x64-arm64-20230621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230621-enlocale:en-usos:android-11-x64system
submitted
15-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1625cee7ce79d2ee091fddf945521c71d2dd911af433ca428599fcd83fbf040.apk
Size

2.2MB
MD5

eeac92bd85ce492fbd37f7c3e2f02631
SHA1

d762a88b8c5efa5652fe7c258d4dec44bdd8a03c
SHA256

f1625cee7ce79d2ee091fddf945521c71d2dd911af433ca428599fcd83fbf040
SHA512

d855e104536f4b41b71c36913198b3dcf10bd9eac3649784bb604333cd097ff471348a41f6f12a0a8c9d7eb005c33ccabfa1472e9de144b75731cfdeb4b96ab8
SSDEEP

49152:b7GeiwVInbeuao9Off4/DuGPJ3ZfMu6SxO+zqlPAhu:b7Ti2uaf4/DueZku6EZDo

Score

10^/10

ginp mp31 banker evasion infostealer trojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp31

http://pottershat.top/

http://dopestteam.cc/

Attributes

uri
api201

Extracted

Family

ginp

http://pottershat.top/api201/

http://dopestteam.cc/api201/

Signatures

Ginp
Ginp is an android banking trojan first seen in mid 2019.
banker trojan infostealer ginp

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

toast.rebel.dove

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	toast.rebel.dove
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	toast.rebel.dove
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	toast.rebel.dove

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

toast.rebel.dove

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications toast.rebel.dove
Acquires the wake lock. 1 IoCs

Processes:

toast.rebel.dove

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock toast.rebel.dove

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	toast.rebel.dove

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	toast.rebel.dove

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

toast.rebel.dove

ioc	pid	process
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json	4338	toast.rebel.dove
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json	4338	toast.rebel.dove

Requests enabling of the accessibility settings. 1 IoCs

Processes:

toast.rebel.dove

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS toast.rebel.dove
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

toast.rebel.dove

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS toast.rebel.dove

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	toast.rebel.dove

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	toast.rebel.dove

toast.rebel.dove
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4338

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json

Filesize
380KB

MD5
8a5a18bb9dea5eb83ff1746c0a0c343d

SHA1
ec005efa785a2f7953492b22b5be5ca37eb961f1

SHA256
baa990b3acebeb944f9b74a944897797118cedeb3b67b040f91ad781999e5311

SHA512
83255d9f4332a67c335c6873095e7fd01ec0da080b791f414e10bf52fcc06a0999c582deb0cf1f4c4f3e3039639f4c89fd4392dd5f4b601f593d44ac74826a97

Download Submit
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json

Filesize
380KB

MD5
2ee3515fa3f34fd24a2b6a11578626b6

SHA1
4b4debd0ab2df85c4c28261818cb5a7c9a85c762

SHA256
607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e

SHA512
5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838

Download Submit
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json

Filesize
380KB

MD5
2ee3515fa3f34fd24a2b6a11578626b6

SHA1
4b4debd0ab2df85c4c28261818cb5a7c9a85c762

SHA256
607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e

SHA512
5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838

Download Submit
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/XB.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit