Overview

overview

10

Static

static

6

d95dff4e52...8b.apk

android-9-x86

10

d95dff4e52...8b.apk

android-10-x64

10

d95dff4e52...8b.apk

android-11-x64

Resubmissions

23-06-2024 03:20

240623-dv62jaxhqd 10

22-06-2024 23:30

240622-3hffgszdnb 10

Analysis

  • max time kernel
    23s
  • max time network
    185s
  • platform
    android_x64
  • resource
    android-x64-20240611.1-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system
  • submitted
    22-06-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b.apk

  • Size

    2.3MB

  • MD5

    363232356841fae677c850fb78c29b24

  • SHA1

    e9ab678b80a2ba4bf5a3e98bd2bfd41de67ba616

  • SHA256

    d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b

  • SHA512

    9eb11136b1caaadada18dcfab684a7228836493d4bf1608c47514d267471be21dc58732c17fac1d1265549d6314dcdb345b222c748941e41dc35d5593df3b609

  • SSDEEP

    49152:VYUwxqJIcFqgnhr+LJG5olrJbeh2OwcoLpVioKNsuuh11UxSlAUUZEFN:VY/xqJhsgnhrmGmlZehi3pVokTNlUZEj

Score
10/10
ginpmp43bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp43

C2

http://sorryfordelay.top/

http://silverball.cc/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://sorryfordelay.top/api201/

http://silverball.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery

Processes

  • soldier.unhappy.garage
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    PID:5177

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json
    Filesize

    361KB

    MD5

    3be84dc3eea625b9f0debe41f642e1b0

    SHA1

    0590fd9d43ce7a9ac1afa257111fd799dbced9ef

    SHA256

    351a0ff5546ba77d8bc784f29a4df8227cc254b872c47105a11eb3d5b43c90d9

    SHA512

    52e4f4f048fca240502ef9b0488bd6c5c4b8c99e3d94a395d90fae736e774734c4f7457b9946111538ed5a3d3b1f34addd640199c26407bb7df4c73aca1cdf06

    Download Submit

  • /data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json
    Filesize

    361KB

    MD5

    85c5d55c3a906bef6658d9613816d2b1

    SHA1

    2507b240dfcf7f5e16a85b6fa8ea99562f2a3d3c

    SHA256

    8ad39fadaacb0a5a56e87222a534cd23282971ef094d1122dcd5dc1edf84d3f0

    SHA512

    d7ef69c2d47cf4b9f50b119a448d9547e8514ab11180f9c14df9f563047b0f5041d5c0332574317f220876b480a3c2df3784a28d4ea6a6ac54b6c5bd1d82d2a6

    Download Submit