Overview

overview

10

Static

static

6

376d13affc...a4.apk

android-10-x64

10

376d13affc...a4.apk

android-11-x64

10

376d13affc...a4.apk

android-13-x64

10

376d13affc...a4.apk

android-9-x86

10

Resubmissions

08/04/2024, 12:28 UTC

240408-pnlb2acd6t 10

08/03/2024, 09:07 UTC

240308-k3bc6abc69 10

23/03/2023, 01:50 UTC

230323-b89y8scg82 10

Analysis

  • max time kernel
    300s
  • max time network
    311s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    08/04/2024, 12:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk

  • Size

    4.6MB

  • MD5

    d4c6871dbd078685cb138a499113d280

  • SHA1

    60b64c8481f9de5b92634efc70a9ff42f451c78f

  • SHA256

    376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4

  • SHA512

    e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59

  • SSDEEP

    98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc

Score
10/10
nexusbankercollectiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

nexus

C2

http://193.42.32.84/

http://193.42.32.87/

Signatures

  • Nexus

    Nexus is an Android banking trojan related to the SOVA banking trojan.

    bankertrojaninfostealernexus
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • com.help.marine
    1⤵
    • Makes use of the framework's Accessibility service
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4673

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.8
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 08 Apr 2024 13:37:44 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 297
    Access-Control-Allow-Origin: *
    X-Ttl: 44
    X-Rl: 42
  • flag-us
    DNS
    translate.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    translate.googleapis.com
    IN A
    Response
    translate.googleapis.com
    IN A
    142.250.179.234
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.201.100
  • 142.250.178.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 172.217.16.238:443
    android.apis.google.com
    tls
    5.5kB
     8.7kB
     22
    23
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    387 B
     646 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 172.217.169.4:443
    tls, https
    905 B
     40 B
     2
    1
  • 172.217.169.4:443
    www.google.com
    tls
    11.6kB
     11.2kB
     34
    40
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    360 B
     6
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 216.58.201.100:443
    www.google.com
    tls
    1.4kB
     5.6kB
     10
    10
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    180 B
     3
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 216.58.201.100:443
    www.google.com
    tls
    1.4kB
     5.7kB
     10
    12
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    360 B
     6
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    420 B
     7
  • 216.58.201.100:443
    www.google.com
    tls
    1.4kB
     5.7kB
     10
    12
  • 193.42.32.87:80
    60 B
     1
  • 193.42.32.87:80
    420 B
     7
  • 193.42.32.87:80
    360 B
     6
  • 193.42.32.87:80
    360 B
     6
  • 193.42.32.87:80
    360 B
     6
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 142.250.179.226:443
    tls
    135 B
     40 B
     2
    1
  • 193.42.32.87:80
    300 B
     5
  • 216.58.201.100:443
    www.google.com
    tls
    1.4kB
     5.6kB
     10
    11
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    300 B
     5
  • 216.58.212.227:443
    tls
    135 B
     40 B
     2
    1
  • 193.42.32.87:80
    300 B
     5
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    240 B
     4
  • 193.42.32.87:80
    180 B
     3
  • 193.42.32.87:80
    180 B
     3
  • 193.42.32.87:80
    180 B
     3
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    120 B
     2
  • 193.42.32.87:80
    60 B
     1
  • 224.0.0.251:5353
    3.7kB
     11
  • 216.58.213.14:443
    https
    51 B
     50 B
     1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.8

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    translate.googleapis.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    translate.googleapis.com

    DNS Response

    142.250.179.234

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.201.100

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    2.2MB

    MD5

    cf9772416a747ac509ec2970cb9c9e74

    SHA1

    128bcf36307203dbb198d45c3560f30cd63bbd8d

    SHA256

    6e9478358dbfbefe00e28c9bf85255a8706873479cf8f0746a2246bbbab03c04

    SHA512

    9f0789d68ba6143d289a066db215a06b64adafa7967bd6915516f12ee416a02cb70bb52dc6cef945ed8965640e8d969093b33c2ce0fc35c480b9cfc57c8da014

    Download Submit

  • /data/data/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    2.2MB

    MD5

    dd644c0a66a11feb4a0d086916d77d42

    SHA1

    06c009c8e0e9258ab46348573a8023ba2a17086d

    SHA256

    12d162274020d3a09c7921c34ab8461a1a2a562667feb79f4ab222813b7e6b43

    SHA512

    f8978a8486d094b33024c0c4d40dd1eca425ab66ed6fe6423e176cb5edb2e38007410b47010c3e3f5edf6a3229f8ef4e61bbb991bd213d52ca8afc49492b4ddc

    Download Submit

  • /data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof
    Filesize

    3KB

    MD5

    f57a231ec75090c1dcb822984a92223b

    SHA1

    eefb09aa434befc35b4d5cc6e82e2c2ccdd2be68

    SHA256

    fb6aedc6c1ff0d9f2e124b36428192e867af9b3dc91ab92a177c0a863e838624

    SHA512

    4c20241f60b0137374f2430011756980a83b3e8ef244d397c37467aa176b63b166c28f8f025f24d71345a5b51fa29c69f1391894d7bf7225c6226be36f6bef0f

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    b65cbc6979134c24293b48b5bcbbb079

    SHA1

    f5c00135a73ff8afa55a9370b2cf31b51474452c

    SHA256

    dc501179abaff4054c84515b790c377a821196b4877461fca5076cc04acb1245

    SHA512

    ffbf1cdf576d3ff3cb1a353d1c29acca855e9c84e198947eba7052db97b9778319bb75b0964b3cdc3c4ead5a96a8b0f3233c70af72b100d9b2020d890249f38a

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    e4d21c134a3f275b28c73549059549a8

    SHA1

    871d6635ae6b481179260d61051778c3524edd85

    SHA256

    b3c975df12f209adfbc676e5f33b2b5029ac8c24b288198ad35096fd20a79aed

    SHA512

    94902fed90a14f8337a8512e13bd7fc975a405f6d6abd4c0b9a22c24f76c62ff4d7c38d5dfe79fabd76513e8f282981ebe6d00fdc6ac22a1f8923373d0917c79

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    482c346199716efcd1373fae52e7ed32

    SHA1

    8f4cf4bee09f614c12a8e176876f294ac3ade677

    SHA256

    9730177aa2b2266001c1f76e1b0692edcbae230d95cb509e61a186a88d842480

    SHA512

    f8df7c309b5d091243cebcbdc0ef0c76f1215f8b3b5b546a8fdaa8d8c1020f2b6778d304587f4c432a488222eb0ca069dd1e1a467d6558ca77327119d026b712

    Download Submit

  • /data/data/com.help.marine/no_backup/androidx.work.workdb-wal
    Filesize

    221KB

    MD5

    910006acaf4f15ba4edcbe64e8cddf95

    SHA1

    27e82a5d70675651d21605f4454c9b5c5aca8382

    SHA256

    d9bb665de6d111a174eb412e6c56634023185e1de4c3f56ead0da7d217ed2aff

    SHA512

    a1a4a2edbccddd98edc904d6b097172c0cbd42afb4cb62507c81f88e5df515f147e50772dd6b00e0852728e67763458d39a254c95c67082e9f4696bfa4ccde13

    Download Submit

  • /data/user/0/com.help.marine/app_DynamicOptDex/nx.json
    Filesize

    6.1MB

    MD5

    781a5fd150ae010085b1e7ff4501a0f4

    SHA1

    bfbe600cec76f9f00f02a6f0eca5f4bbd5eb1e71

    SHA256

    9ae5523ea2a7080ac97ef5443bf4b781f775c67fefaec687e58b5b983caf3146

    SHA512

    d5dafba7a47802f4312d03557c428e4834d1ca02f0e49f60bb59873ca674deb7be340cb6d0a714295c29894746512869d480da21ab3862eeb27fee9265a98bde

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.