Overview

overview

10

Static

static

6

b698518ac0...67.apk

android-9-x86

10

b698518ac0...67.apk

android-10-x64

10

b698518ac0...67.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-08-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b698518ac071ba29e81ab8ebba49c364f5e8e7392e0c7814eb16ed9ab5735367.apk

  • Size

    3.2MB

  • MD5

    1b2373f564e753a89759dad9ebef7881

  • SHA1

    a76e21464c04c7fffb0ebe6422c16eb12bce58a7

  • SHA256

    b698518ac071ba29e81ab8ebba49c364f5e8e7392e0c7814eb16ed9ab5735367

  • SHA512

    2a1f677f52201f2ce70f65b5028680504d7186dfe1eb49361714932b7402c58156432d96e2830e49b194e5f07abc8bee8f2d99063ef619902ac53e16dad2ade3

  • SSDEEP

    98304:VDhdjz8JfSdyXBilBrY1dzpIeQzL8ynPLmBFqno45U:/dj4JKdyXWBQ5QzIumx4i

Score
10/10
ginpmp72bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp72

C2

http://sweetseventeen.top/

http://jackblack.cc/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://sweetseventeen.top/api201/

http://jackblack.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • appear.shaft.uphold
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4249
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/appear.shaft.uphold/app_DynamicOptDex/NJDBDrn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/appear.shaft.uphold/app_DynamicOptDex/oat/x86/NJDBDrn.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4275

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/appear.shaft.uphold/app_DynamicOptDex/NJDBDrn.json
    Filesize

    418KB

    MD5

    9041c15d5965b11f1a841ce8a7c388ad

    SHA1

    b9acc1b33291878409ba4060fb554fa2b9a8b3a5

    SHA256

    c108fe547e30f4c72aa0e3c522347a63f52b63d539b6f699bedcc2d789d87901

    SHA512

    c136b5214fd62203160d1d648e1a23142d11d1fecfff14c3867eb65a089f29968fe8a347736d015d0d2d64ee6cddd9d96a0c883804b913a1544d3ce49d8c0212

    Download Submit

  • /data/data/appear.shaft.uphold/app_DynamicOptDex/NJDBDrn.json
    Filesize

    418KB

    MD5

    6be6f93b229d65858d93172f04cf3582

    SHA1

    ecdf8dccb82f0bafe49655da0dd6b5e775ba5877

    SHA256

    ac66df32152bcd1f27decde4bb92068703113dc833a1e94395c73a967f21be86

    SHA512

    d72ea79302e81453e6974bd26950b5034a2e0e954f85b3091bff5c8142232de9f80be85833f6d8dd8c366ba18f4a912487a50486bea1cff3d674150fffe6d88f

    Download Submit

  • /data/data/appear.shaft.uphold/app_DynamicOptDex/oat/NJDBDrn.json.cur.prof
    Filesize

    389B

    MD5

    dc1ccc93c2c45521e541e11dedf7ba02

    SHA1

    bc70b007ee4a9f9cebfb6f1602286bb3eef10a38

    SHA256

    fa0a207197df0aa5a7b8ee1c83c9f304627f6e56bf5088e8e3169c1618243dd2

    SHA512

    409fa988c1f8a3c9331a15bf6731e4360f6abc4ba6071aeeaabdf052a1b89a1d68460fe232118151dbb9e44ee52da89e6650faf354a487a68d89d2c4a9860773

    Download Submit

  • /data/user/0/appear.shaft.uphold/app_DynamicOptDex/NJDBDrn.json
    Filesize

    418KB

    MD5

    b40b7a1b89def68fd8f42ceff6728a9c

    SHA1

    4d65af486a81c5721e8187d429f38ba09ec22fd2

    SHA256

    60ef6607722de33f679f53afa8b727b85b04703cbe5ea237034ae8a56a82f218

    SHA512

    42c763c95703b388431ce3662e6b25bf346447b37c1857612268930444c458b8527740ea4b670ad9bec59cc8f4a6ed94fcaeb47fe35ec8083b111dae4bc6a82c

    Download Submit