nexus | 0c78489423101d08e47d67ab467a45edacf84ea46ef1f7c0370084dc7a956867

Resubmissions

08-04-2024 12:28

240408-pnlb2acd6t 10

08-03-2024 09:07

240308-k3bc6abc69 10

23-03-2023 01:50

230323-b89y8scg82 10

Analysis

max time kernel
299s
max time network
306s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
08-04-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Size

4.6MB
MD5

d4c6871dbd078685cb138a499113d280
SHA1

60b64c8481f9de5b92634efc70a9ff42f451c78f
SHA256

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
SHA512

e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59
SSDEEP

98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc

Score

10^/10

nexus banker collection discovery evasion infostealer persistence stealth trojan

Malware Config

Extracted

Family

nexus

http://193.42.32.84/

http://193.42.32.87/

Signatures

Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
banker trojan infostealer nexus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.help.marine
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.help.marine

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4179	com.help.marine
4179	com.help.marine

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.help.marine

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.help.marine

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json	4179	com.help.marine

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.help.marine

Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	com.help.marine

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.help.marine

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.help.marine

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.help.marine

com.help.marine
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Reads the contacts stored on the device.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4179

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.help.marine/app_DynamicOptDex/nx.json

Filesize
2.2MB

MD5
cf9772416a747ac509ec2970cb9c9e74

SHA1
128bcf36307203dbb198d45c3560f30cd63bbd8d

SHA256
6e9478358dbfbefe00e28c9bf85255a8706873479cf8f0746a2246bbbab03c04

SHA512
9f0789d68ba6143d289a066db215a06b64adafa7967bd6915516f12ee416a02cb70bb52dc6cef945ed8965640e8d969093b33c2ce0fc35c480b9cfc57c8da014

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/nx.json

Filesize
2.2MB

MD5
dd644c0a66a11feb4a0d086916d77d42

SHA1
06c009c8e0e9258ab46348573a8023ba2a17086d

SHA256
12d162274020d3a09c7921c34ab8461a1a2a562667feb79f4ab222813b7e6b43

SHA512
f8978a8486d094b33024c0c4d40dd1eca425ab66ed6fe6423e176cb5edb2e38007410b47010c3e3f5edf6a3229f8ef4e61bbb991bd213d52ca8afc49492b4ddc

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
ad64fac86ec7864c62317781b77fedf1

SHA1
3ccf23bb2b9cf56c943ea660dab37323f1be75de

SHA256
6777f18fed58541f92a80ca549ea385f3c229d27419df81ca1bef5dafac10fd9

SHA512
79e017b48ac755a2aacc135a750087af53580536ebf87f76bf6eb8e3146b2fe7092ca71148fffe150066272fb702b95faaab0d7c22b0f78a7365c074d12f39e9

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
eddb27e2cae35ad92ddf4f0018737ac2

SHA1
f95b212f2fb324fe447f8181d77e774a7a5a9077

SHA256
ad766cd13a0cb5bb3c0d043d37c0ac4cb99074fa30b851898827956a4d0a5333

SHA512
8b2169c1e40133184eef334344a6367e66020e8643a43de9031bc953b2822fa45c5581925f8149581617c4f736812e5bed0267cbe35db1918f2e5eeb8b2bd4f7

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
4KB

MD5
e05ef57f29968617250057684ada328e

SHA1
6cf39e9a5fc0b399a0aa67f292259bd4db96fb42

SHA256
d1aa5fd8f1ce85cd0ddd6d9fac66afbd201060c245fc14d11ac2407b4100006f

SHA512
5038213019999ab7d8e7b6109be7fdb0741b1e67fe3e7c7d6cd37785e35313e74e230916b11f07884b765c62b2d137ad53302c1395132943c77b8ae4ce121cf2

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
4b16adca4a18829230b082e2f283ed28

SHA1
651d2a8db3204d05f5ceb7dd3123ee921131c4a8

SHA256
06fe6b7c775d256e43267b72ad7b206249eb2c58300908d61032cde8f44bb4be

SHA512
ec7e759f4a197369a39a41e5b494c74a1e85f6d057ffdacd5a89b51ae71ebdc76f232524e3007d3cf29943c419b7e0c8cdac3d32aec72f78deed2a9f0d6a381d

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
d15d36a2e1e6ddb93dfb1732e6df36bb

SHA1
dd72107fce0459566935136af4f193cf4de806df

SHA256
eb9fa5e02bcff9465958d88f5d8a9d17e61d9039913898cb7ae8d3ed8ee4087e

SHA512
e1df0bd10284e9ed050893c951be6b34a4cf57b59670ac780bd784a724a5bad7f81dca3cba3d1ef96c1b6cabd9d09e0e88e29e444e8794a2dec6f50072f0da77

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
229KB

MD5
9a95bbf417a64122441a7582a0c3a35f

SHA1
fc4cc7494c2da72f6f07c5d68943e67d33815bd5

SHA256
9e3113dc22ad987889377da430be0527a89b3cf167fffd90fd56b987ae251a54

SHA512
aad74c5dd75f2ddaeda90a97ae412926fc3110dbd2436040a6a10748fb8426ca11bb053948b9e67a0de9c3f3482223db6602e3e9e2231d579a988998adb54c14

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
4599ed117621e3994fb7fe0254ac6ea5

SHA1
1836200f74c0a20ba7aac4b6070df82fffd6202e

SHA256
09a09d3f8fb17752bd8d17ee96d8dacbc844391cead5b4abd618ac02a4c174a6

SHA512
3a44c3726347917f9c18e8432b9612f87ba4c633edb4caa6d1db155f77979116a2d8d118ea2bedfe601c1cf942334a428b4ec10fdec4a1c59f84742303e166c0

Download Submit
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json

Filesize
6.1MB

MD5
781a5fd150ae010085b1e7ff4501a0f4

SHA1
bfbe600cec76f9f00f02a6f0eca5f4bbd5eb1e71

SHA256
9ae5523ea2a7080ac97ef5443bf4b781f775c67fefaec687e58b5b983caf3146

SHA512
d5dafba7a47802f4312d03557c428e4834d1ca02f0e49f60bb59873ca674deb7be340cb6d0a714295c29894746512869d480da21ab3862eeb27fee9265a98bde

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads