Malware Analysis Report

2024-09-09 13:25

Sample ID 240622-3hffgszdnb
Target d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b.bin
SHA256 d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b
Tags
ginp mp43 banker collection credential_access discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b

Threat Level: Known bad

The file d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b.bin was found to be: Known bad.

Malicious Activity Summary

ginp mp43 banker collection credential_access discovery evasion infostealer persistence stealth trojan

Ginp

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 23:30

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-22 23:30

Reported

2024-06-22 23:30

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 23:30

Reported

2024-06-22 23:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

150s

Command Line

soldier.unhappy.garage

Signatures

Ginp

banker trojan infostealer ginp

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

soldier.unhappy.garage

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sorryfordelay.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 silverball.cc udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 3be84dc3eea625b9f0debe41f642e1b0
SHA1 0590fd9d43ce7a9ac1afa257111fd799dbced9ef
SHA256 351a0ff5546ba77d8bc784f29a4df8227cc254b872c47105a11eb3d5b43c90d9
SHA512 52e4f4f048fca240502ef9b0488bd6c5c4b8c99e3d94a395d90fae736e774734c4f7457b9946111538ed5a3d3b1f34addd640199c26407bb7df4c73aca1cdf06

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 85c5d55c3a906bef6658d9613816d2b1
SHA1 2507b240dfcf7f5e16a85b6fa8ea99562f2a3d3c
SHA256 8ad39fadaacb0a5a56e87222a534cd23282971ef094d1122dcd5dc1edf84d3f0
SHA512 d7ef69c2d47cf4b9f50b119a448d9547e8514ab11180f9c14df9f563047b0f5041d5c0332574317f220876b480a3c2df3784a28d4ea6a6ac54b6c5bd1d82d2a6

/data/data/soldier.unhappy.garage/app_DynamicOptDex/oat/Tp.json.cur.prof

MD5 c4098aa2327a62332c408a4107ffaaec
SHA1 39b8c34d124eda18a1388ecf729de94f166ad0ea
SHA256 dd53605f1c41e3e7167889568edb7aaacb61420c875b1c8b73708847fe23ea7a
SHA512 21213a98df859fb01049e8f4c0d08eff7e63723e2915f6332b4f8b64e68c3fca43ab425ab3a616694e115bd6f07c2b0bacca9a6530c2a287afc8775c93da3888

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 23:30

Reported

2024-06-22 23:33

Platform

android-x64-20240611.1-en

Max time kernel

23s

Max time network

185s

Command Line

soldier.unhappy.garage

Signatures

Ginp

banker trojan infostealer ginp

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

soldier.unhappy.garage

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sorryfordelay.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 silverball.cc udp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
BE 64.233.184.188:5228 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.201.106:443 g.tenor.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.187.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 216.58.204.74:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 172.217.16.225:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 silverball.cc udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.200.54:443 i.ytimg.com udp
GB 142.250.200.54:443 i.ytimg.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 sorryfordelay.top udp

Files

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 3be84dc3eea625b9f0debe41f642e1b0
SHA1 0590fd9d43ce7a9ac1afa257111fd799dbced9ef
SHA256 351a0ff5546ba77d8bc784f29a4df8227cc254b872c47105a11eb3d5b43c90d9
SHA512 52e4f4f048fca240502ef9b0488bd6c5c4b8c99e3d94a395d90fae736e774734c4f7457b9946111538ed5a3d3b1f34addd640199c26407bb7df4c73aca1cdf06

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 85c5d55c3a906bef6658d9613816d2b1
SHA1 2507b240dfcf7f5e16a85b6fa8ea99562f2a3d3c
SHA256 8ad39fadaacb0a5a56e87222a534cd23282971ef094d1122dcd5dc1edf84d3f0
SHA512 d7ef69c2d47cf4b9f50b119a448d9547e8514ab11180f9c14df9f563047b0f5041d5c0332574317f220876b480a3c2df3784a28d4ea6a6ac54b6c5bd1d82d2a6