Malware Analysis Report

2024-09-09 13:30

Sample ID 231218-lpghpahhar
Target AndroidMalware_MediaPlayer.apk
SHA256 421629ea13d233bbc36a8900995ab488c3d0cbaba82db9468a524e31074b1858
Tags
ginp mp19 banker infostealer stealth trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

421629ea13d233bbc36a8900995ab488c3d0cbaba82db9468a524e31074b1858

Threat Level: Known bad

The file AndroidMalware_MediaPlayer.apk was found to be: Known bad.

Malicious Activity Summary

ginp mp19 banker infostealer stealth trojan evasion

Ginp

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Acquires the wake lock

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-18 09:42

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 09:42

Reported

2023-12-18 09:50

Platform

android-x64-20231215-en

Max time kernel

2085982s

Max time network

300s

Command Line

main.trash.enough

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

main.trash.enough

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 girlfrommars.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
FR 216.58.201.104:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 goldfingers.top udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp

Files

/data/data/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 4a03024f49e64430751cbf2faa5477e1
SHA1 d932f11b5ad92dba6817534f1c9613045f8f879f
SHA256 23fba3ab95bfa56411cf5da72ecbaefb1415adf856cc3715a4018e7360d4cde7
SHA512 3375b5fe7be7c261d949737670a70048cc097b0ccb557f3e52c877e2925c1a17728c957d1f26c99588d60c98daa0b22b46bb08c2abead7472fc53ab6dcba7555

/data/data/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 eed8c84048181aa9bb8a3538d82e22af
SHA1 7c4bb322cabe81a61d71615377ee13c0f5daf5a1
SHA256 3b4edc3f61bb70092962b5da28beab1069e7804791b605e0b51020a9d91733a2
SHA512 ec435bb00223319306a1a4da65b0d4abde08a9f8fc89b37c677f4915f6b25740747c3ac1eaf2eb8296a1e2b27398b04ccce9a0910c3cfd02090e67b114738ae6

/data/data/main.trash.enough/app_DynamicOptDex/oat/TLMd.json.cur.prof

MD5 c1e1a5864f80a9bd115790c1d4052c7c
SHA1 7728488020d10b19dc09d2215b23930f0b8a8b0d
SHA256 b53dbfb959aed69fda77b6a070258f8719e266ce0f86f9fea943130edbb995eb
SHA512 6fd97fc790f970772c4047af8bd41b12a45c1d4ff566cad59b8d2d6d5f983f7b6b0fc67c7765b87f94fea6772ee758825c5f2e7ec5c15274254f9bf2c315b965

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-18 09:42

Reported

2023-12-18 09:50

Platform

android-x64-arm64-20231215-en

Max time kernel

2085985s

Max time network

310s

Command Line

main.trash.enough

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

main.trash.enough

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 udp
GB 142.250.200.46:443 udp
FR 216.58.201.106:443 tcp
FR 216.58.201.106:443 tcp
US 1.1.1.1:53 girlfrommars.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
FR 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 goldfingers.top udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.3:443 tcp

Files

/data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 4a03024f49e64430751cbf2faa5477e1
SHA1 d932f11b5ad92dba6817534f1c9613045f8f879f
SHA256 23fba3ab95bfa56411cf5da72ecbaefb1415adf856cc3715a4018e7360d4cde7
SHA512 3375b5fe7be7c261d949737670a70048cc097b0ccb557f3e52c877e2925c1a17728c957d1f26c99588d60c98daa0b22b46bb08c2abead7472fc53ab6dcba7555

/data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 eed8c84048181aa9bb8a3538d82e22af
SHA1 7c4bb322cabe81a61d71615377ee13c0f5daf5a1
SHA256 3b4edc3f61bb70092962b5da28beab1069e7804791b605e0b51020a9d91733a2
SHA512 ec435bb00223319306a1a4da65b0d4abde08a9f8fc89b37c677f4915f6b25740747c3ac1eaf2eb8296a1e2b27398b04ccce9a0910c3cfd02090e67b114738ae6

/data/user/0/main.trash.enough/app_DynamicOptDex/oat/TLMd.json.cur.prof

MD5 0a9e561683a486d1c81ddc28b822cd83
SHA1 334f40ff5715c7261603c1fdeeeeda2078183493
SHA256 7668aeec5c6e34b063c621b4a3d4832c8b313be2577f989069f26ba08772fb47
SHA512 271127649b947b827b3ce5b8cdfa72ea128b3d1ddd3f87125c4c35252a92ba85c644feab16fb032cd8b90cf5106f12a40802c18545bd4871fed8f4b423d44044

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 09:42

Reported

2023-12-18 09:47

Platform

android-x86-arm-20231215-en

Max time kernel

2085808s

Max time network

131s

Command Line

main.trash.enough

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A
N/A /data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

main.trash.enough

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/main.trash.enough/app_DynamicOptDex/oat/x86/TLMd.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 girlfrommars.top udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 goldfingers.top udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp

Files

/data/data/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 4a03024f49e64430751cbf2faa5477e1
SHA1 d932f11b5ad92dba6817534f1c9613045f8f879f
SHA256 23fba3ab95bfa56411cf5da72ecbaefb1415adf856cc3715a4018e7360d4cde7
SHA512 3375b5fe7be7c261d949737670a70048cc097b0ccb557f3e52c877e2925c1a17728c957d1f26c99588d60c98daa0b22b46bb08c2abead7472fc53ab6dcba7555

/data/data/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 eed8c84048181aa9bb8a3538d82e22af
SHA1 7c4bb322cabe81a61d71615377ee13c0f5daf5a1
SHA256 3b4edc3f61bb70092962b5da28beab1069e7804791b605e0b51020a9d91733a2
SHA512 ec435bb00223319306a1a4da65b0d4abde08a9f8fc89b37c677f4915f6b25740747c3ac1eaf2eb8296a1e2b27398b04ccce9a0910c3cfd02090e67b114738ae6

/data/user/0/main.trash.enough/app_DynamicOptDex/TLMd.json

MD5 a29890dcdca272052eb70569fc29da9f
SHA1 8c783e9a8d4313846329c8ae43da934b70aa0cca
SHA256 cf2c526e2ba3d1b14e48b603f862e3603d7c5873d59445495b44877ac3ce4654
SHA512 c839d0aa267519c912d46ff759af5ab62be7726b0dceb2bb73ca2abd4cc4971c9aeea15f0a4a2263ab55ff036d57584a00ff9e8a4d9e58795f680e2ac0ee61d0

/data/data/main.trash.enough/app_DynamicOptDex/oat/TLMd.json.cur.prof

MD5 66030bde4412eb53b2fd177f84737747
SHA1 86f20eda37375ca509d3abf139031583827980ae
SHA256 aadd93d379327f520803db70dd3b6a1faa6d0ecbae569d23b69d12b719f5a06a
SHA512 9ab49a23ffbd2c8a9103c64cf2c3fc7a2e4618b3b3aaca243206002151561f41aa8416f8cb66ed6b18dbb3bedf5e0c9cbf3fd64fe5e24fdb8bdb509b7b94d575