Analysis
-
max time kernel
179s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
16-06-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
b267bca20bc365a9e7529eb217bd0e9c_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
b267bca20bc365a9e7529eb217bd0e9c_JaffaCakes118.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
b267bca20bc365a9e7529eb217bd0e9c_JaffaCakes118.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
b267bca20bc365a9e7529eb217bd0e9c_JaffaCakes118.apk
-
Size
1.4MB
-
MD5
b267bca20bc365a9e7529eb217bd0e9c
-
SHA1
a686bc3454fd57796653590e3ddd34783d1f04af
-
SHA256
e10099c6468ad5c05ff606e2a03780ba424696380bbb4c6dacd005fe46f11b99
-
SHA512
8b750202ec9e2ee22368c0fe2a47657a388eb0c2c44d9a5caaf65960a49f38e40ee2e4cec631709780111b6e3ff989d23fb6d3d3a22ac5f579c5cd3835d5d169
-
SSDEEP
24576:ymPMupbe+lGFxxPJxhqY5INn+d04bs7OFnac4s3UIuiZEfEvON:xMupvl90d04bsSFnb43rxfEve
Malware Config
Extracted
ginp
2.8c
mp-4
http://wingaffordnasty.com/
http://change923.ru/
-
uri
api147
Extracted
ginp
http://wingaffordnasty.com/api147/
http://change923.ru/api147/
Signatures
-
Ginp
Ginp is an android banking trojan first seen in mid 2019.
-
pid Process 4210 jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu/app_DynamicOptDex/hf.json 4210 jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu /data/user/0/jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu/app_DynamicOptDex/hf.json 4210 jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu
Processes
-
jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
PID:4210
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD5a9885271de91b6664fcb40e3e268139e
SHA1a9c4fa498a09e17af468b8391af40f5167f95aa3
SHA25664e625bb0f9c7d18680d8444b48087f3c0a316c35c6fdccb0a264e0850783f60
SHA512c9be0b53ccb0ce2b80fab0783284fb0dac34fb037db819f5f71e248f04427a3847eadfda890d43f76cfe902619958f3dbde1c5d85846f12a3f792bb37b8dedde
-
Filesize
374KB
MD554de7eab470a4eabc743f3c0bb35ac26
SHA194b20038a9a917f7c95674aa18ef8315203c0e6c
SHA2560741f08f9ea71be64feb1eb6388922a822e60bbeaf2901810d90d89e02a44388
SHA51235021a8b3aa58a2e7861fbe8ba67ad942d5f5a2019edceef05a88e745e5e735025a7be983f8589892be9037bb65eb8d400bcaac253a8ed5cdfda3e5b86497d0f
-
/data/data/jffgxrlkjcrsqz.igtddgdtxbtarzhxar.nglslmkxojhkmfclysafamyleu/app_DynamicOptDex/oat/hf.json.cur.prof
Filesize356B
MD5669aa490d6c8db22ca8201621ef19579
SHA1eabfdfccc974fff4d2cb24db4a2ea173e2a8ed75
SHA2567bd86931f58e79e160002e2aeb8b47c880690e5a1eeb407c62a5efff4b148667
SHA512ad66697c6eda7b89f486645db04b55aa0895f223cb934c79a9aab4fe2587e64ab9c0eded15b6d80c319e88fe225ceed1bcb235bf52b7712e85f568fd4356ae2a