Malware Analysis Report

2024-09-09 13:29

Sample ID 240220-1xl6gafe4w
Target b9aaea12b136cbab6e9692470a268ca18c9a8bb4fb505fef775e73b7ce110dd2.bin
SHA256 b9aaea12b136cbab6e9692470a268ca18c9a8bb4fb505fef775e73b7ce110dd2
Tags
ginp mp15 banker evasion infostealer stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9aaea12b136cbab6e9692470a268ca18c9a8bb4fb505fef775e73b7ce110dd2

Threat Level: Known bad

The file b9aaea12b136cbab6e9692470a268ca18c9a8bb4fb505fef775e73b7ce110dd2.bin was found to be: Known bad.

Malicious Activity Summary

ginp mp15 banker evasion infostealer stealth trojan

Ginp

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-20 22:01

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 22:01

Reported

2024-02-20 22:08

Platform

android-x86-arm-20231215-en

Max time kernel

150s

Max time network

130s

Command Line

com.task.explain

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.task.explain

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.task.explain/app_DynamicOptDex/oat/x86/ukhrfEB.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 wholepartyhere.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 insideluck.cc udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 insideluck.cc udp
US 1.1.1.1:53 insideluck.cc udp

Files

/data/data/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 6af5341b4e7dfed83e58c41fb1ff085d
SHA1 db7ebc7cde4331fe9a7ba4ffc5fcfb37c8fb1196
SHA256 4caff50d14444916a6d902395b7a494034d12b54a48c82e5c6bee72946d015a0
SHA512 462fa5e9e30c16712a4ba438f683e76099a9f2505144dd4498c5adf5eaf4b923a0acbff623c609e36911a6ee815d7247ed3b32ef26983e3aac550d4f9e653281

/data/data/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 a356b379ab111eb7609c17ac23b7022b
SHA1 4d1fa3eb0bba094c345a3e905204ded059d388ab
SHA256 4954df708fbaedf0d1899fc2076f502a3b58091b85e88f119879d784c28aa99c
SHA512 0d8270743348b66f2ac031184d7d4596748ccf9a494d1cd4c79b1f77716dad23a47a43d6e868dabdad69f969228b60e84750a2eaddcaa0f418e95fab1be17a48

/data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 03212b40ade4d4a0c181764d35843d9c
SHA1 5c6e1c14d3c5eacd5c7a1397b28cb49abcb562d0
SHA256 dc781ec607a585db8ad003ab9ebb739e6478303445456533336e3e632a9447ac
SHA512 c46e7af47b14ba5e4c59a9c48742dd409a0032e5e88540268741ff83d83e07ca01cada290471012e2087f9fe051399dde1b1a83d2616713b14fa843d267a8656

/data/data/com.task.explain/app_DynamicOptDex/oat/ukhrfEB.json.cur.prof

MD5 c3f48dea43ad54784bdc65612f2382f0
SHA1 9c6ef5432caa9b4c1e744c3afca4d5edad96a155
SHA256 e854f35153ff6abdc275e99f5eb36034ba0b8c4e319451a9600bd802994b2e5f
SHA512 8334696534b076f72cb35cb93d5d7e612093ed175cbbe9554e4e66a3e2e4b48c968aa01c486de02a4088f0098f7777ba53c7d5723163a524ab1066f994439287

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 22:01

Reported

2024-02-20 22:08

Platform

android-x64-20231215-en

Max time kernel

152s

Max time network

146s

Command Line

com.task.explain

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.task.explain

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 wholepartyhere.top udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 insideluck.cc udp
GB 172.217.169.36:443 tcp
GB 172.217.169.36:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 6af5341b4e7dfed83e58c41fb1ff085d
SHA1 db7ebc7cde4331fe9a7ba4ffc5fcfb37c8fb1196
SHA256 4caff50d14444916a6d902395b7a494034d12b54a48c82e5c6bee72946d015a0
SHA512 462fa5e9e30c16712a4ba438f683e76099a9f2505144dd4498c5adf5eaf4b923a0acbff623c609e36911a6ee815d7247ed3b32ef26983e3aac550d4f9e653281

/data/data/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 a356b379ab111eb7609c17ac23b7022b
SHA1 4d1fa3eb0bba094c345a3e905204ded059d388ab
SHA256 4954df708fbaedf0d1899fc2076f502a3b58091b85e88f119879d784c28aa99c
SHA512 0d8270743348b66f2ac031184d7d4596748ccf9a494d1cd4c79b1f77716dad23a47a43d6e868dabdad69f969228b60e84750a2eaddcaa0f418e95fab1be17a48

/data/data/com.task.explain/app_DynamicOptDex/oat/ukhrfEB.json.cur.prof

MD5 92596540a4cb9578a4a1485d9e2c8f92
SHA1 756f6d1d6767cac162888b540ba60a5f7e7cc50e
SHA256 3da51c8adeef2fae7e01801c7931bcd4c3154022dd2070dd191ce8fd1f162bb3
SHA512 4150ad2309de8285604f6fdaeab129b8f6f05e3110e3922d7bd87bf6da95de636ec63cd0961efbc57a494c8d47b8d3f579c6254806957f2dbb33555805895149

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-20 22:01

Reported

2024-02-20 22:09

Platform

android-x64-arm64-20231215-en

Max time kernel

159s

Max time network

149s

Command Line

com.task.explain

Signatures

Ginp

banker trojan infostealer ginp

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A
N/A /data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.task.explain

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.10:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 wholepartyhere.top udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 insideluck.cc udp

Files

/data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 6af5341b4e7dfed83e58c41fb1ff085d
SHA1 db7ebc7cde4331fe9a7ba4ffc5fcfb37c8fb1196
SHA256 4caff50d14444916a6d902395b7a494034d12b54a48c82e5c6bee72946d015a0
SHA512 462fa5e9e30c16712a4ba438f683e76099a9f2505144dd4498c5adf5eaf4b923a0acbff623c609e36911a6ee815d7247ed3b32ef26983e3aac550d4f9e653281

/data/user/0/com.task.explain/app_DynamicOptDex/ukhrfEB.json

MD5 a356b379ab111eb7609c17ac23b7022b
SHA1 4d1fa3eb0bba094c345a3e905204ded059d388ab
SHA256 4954df708fbaedf0d1899fc2076f502a3b58091b85e88f119879d784c28aa99c
SHA512 0d8270743348b66f2ac031184d7d4596748ccf9a494d1cd4c79b1f77716dad23a47a43d6e868dabdad69f969228b60e84750a2eaddcaa0f418e95fab1be17a48

/data/user/0/com.task.explain/app_DynamicOptDex/oat/ukhrfEB.json.cur.prof

MD5 ca1b359432f733a9d4f4c447eb7d4fa9
SHA1 53f76432113143ec1fecd33ad50853c0aa932cf8
SHA256 943d4298bb78c65554b3aa41d5160c74a6eb234f2ba7a0ee654ed5fa9fd6bbe0
SHA512 425ef74040cf1dc90339ddce07a13f54d676cb2deba3a1b16a9e7772d3106f58869b34bb0e5481cb5bd0e5caa6e3f52e10799880745a7fe4e95634ad9ea4c6b1