Malware Analysis Report

2024-09-09 13:25

Sample ID 240623-dv62jaxhqd
Target d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b.bin
SHA256 d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b
Tags
ginp mp43 banker collection credential_access discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b

Threat Level: Known bad

The file d95dff4e52801d7a1399126fcb1617ff0829cf0916530357caef7d0dfd73578b.bin was found to be: Known bad.

Malicious Activity Summary

ginp mp43 banker collection credential_access discovery evasion infostealer persistence stealth trojan

Ginp

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries information about active data network

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 03:20

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 03:20

Reported

2024-06-23 03:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

53s

Max time network

40s

Command Line

soldier.unhappy.garage

Signatures

Ginp

banker trojan infostealer ginp

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

soldier.unhappy.garage

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/soldier.unhappy.garage/app_DynamicOptDex/oat/x86/Tp.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sorryfordelay.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 silverball.cc udp

Files

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 3be84dc3eea625b9f0debe41f642e1b0
SHA1 0590fd9d43ce7a9ac1afa257111fd799dbced9ef
SHA256 351a0ff5546ba77d8bc784f29a4df8227cc254b872c47105a11eb3d5b43c90d9
SHA512 52e4f4f048fca240502ef9b0488bd6c5c4b8c99e3d94a395d90fae736e774734c4f7457b9946111538ed5a3d3b1f34addd640199c26407bb7df4c73aca1cdf06

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 85c5d55c3a906bef6658d9613816d2b1
SHA1 2507b240dfcf7f5e16a85b6fa8ea99562f2a3d3c
SHA256 8ad39fadaacb0a5a56e87222a534cd23282971ef094d1122dcd5dc1edf84d3f0
SHA512 d7ef69c2d47cf4b9f50b119a448d9547e8514ab11180f9c14df9f563047b0f5041d5c0332574317f220876b480a3c2df3784a28d4ea6a6ac54b6c5bd1d82d2a6

/data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 ed3d506a0f83f5748b62dfb3f2cf4bb5
SHA1 8a5a0d7e0119726d9af53bbb1138de8f20abda68
SHA256 7228481b0d4ba8d742c6b7d5e0f1b3e9bf05fc4840e9a253592e9b0317beb545
SHA512 9a2fc150a0b074a723ea3d3d2d3aab3d0676e2a2cf403304af5c2e9a2c8b22f461ba925183b715fb638c0bba7d93d8557a4e35a6ad030067be17bbbf6df8d3fc

/data/data/soldier.unhappy.garage/app_DynamicOptDex/oat/Tp.json.cur.prof

MD5 205105c2cc3e783b416cb6be951f1724
SHA1 a65888e6970092f4c39f4dfca2bfcec788a54b9d
SHA256 658421dd3b7acabcd21b432ab3e40c3ddcdaceb86b62ddf6e8694d7506a5a918
SHA512 afd94f75506508b47d242d5c3206c13e5f2b56e25e18d353b7f1812823f750b130804675ff77c7c61d0e5a1026cb434b410fc573853a7c1077fd91358179047b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 03:20

Reported

2024-06-23 03:24

Platform

android-x64-20240611.1-en

Max time kernel

66s

Max time network

188s

Command Line

soldier.unhappy.garage

Signatures

Ginp

banker trojan infostealer ginp

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A
N/A /data/user/0/soldier.unhappy.garage/app_DynamicOptDex/Tp.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

soldier.unhappy.garage

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sorryfordelay.top udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 silverball.cc udp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.179.234:443 g.tenor.com tcp

Files

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 3be84dc3eea625b9f0debe41f642e1b0
SHA1 0590fd9d43ce7a9ac1afa257111fd799dbced9ef
SHA256 351a0ff5546ba77d8bc784f29a4df8227cc254b872c47105a11eb3d5b43c90d9
SHA512 52e4f4f048fca240502ef9b0488bd6c5c4b8c99e3d94a395d90fae736e774734c4f7457b9946111538ed5a3d3b1f34addd640199c26407bb7df4c73aca1cdf06

/data/data/soldier.unhappy.garage/app_DynamicOptDex/Tp.json

MD5 85c5d55c3a906bef6658d9613816d2b1
SHA1 2507b240dfcf7f5e16a85b6fa8ea99562f2a3d3c
SHA256 8ad39fadaacb0a5a56e87222a534cd23282971ef094d1122dcd5dc1edf84d3f0
SHA512 d7ef69c2d47cf4b9f50b119a448d9547e8514ab11180f9c14df9f563047b0f5041d5c0332574317f220876b480a3c2df3784a28d4ea6a6ac54b6c5bd1d82d2a6

/data/data/soldier.unhappy.garage/app_DynamicOptDex/oat/Tp.json.cur.prof

MD5 abd1fbec16d7838a5d1c7859770f9bcc
SHA1 0f58d413e36388046f7774c1a9e90f7b05b11d67
SHA256 b54314a6f03d783d3a9ecf69b684d943550d625f0c31a829545524c1aa3a745a
SHA512 a1b5b9f9c67b10acfa08720847c0bfb06f30ae6497103b86792741d05bf95802d2fa768cbfd67bc473f9d750ceeccbfbbc8208d09e6ad3daadd05ea729408c4e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-23 03:20

Reported

2024-06-23 03:21

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A