Overview

overview

10

Static

static

6

059552b24b...1e.apk

android-9-x86

10

059552b24b...1e.apk

android-10-x64

10

059552b24b...1e.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    05-08-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    059552b24ba96f140fec438dbe651d66c9341232e3f56aba962b67e80e04561e.apk

  • Size

    3.2MB

  • MD5

    88097ea445b1072b327173d3b6803709

  • SHA1

    ded9be6a67fe77a40f52bd31a5249fea09785743

  • SHA256

    059552b24ba96f140fec438dbe651d66c9341232e3f56aba962b67e80e04561e

  • SHA512

    5bcce543c408bcc5ca54249e8f6f3aa9d9f6d093ec5b4b0f9f9e62a28f3676b6cfd1b9c5ec3f34f0c6127434507e057c6c379e99195ee4e1927e6d31df813c73

  • SSDEEP

    98304:PqDhuHRbzxXJS3KLqR9APIm0pp6VYUdWAvo47zYzN4w:PGuHR/xXsaLqMQ2dQOkx4w

Score
10/10
ginpmp70bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp70

C2

http://coldcoolcoco.top/

http://jackblack.cc/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://coldcoolcoco.top/api201/

http://jackblack.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • donkey.infant.lawsuit
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4252
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/donkey.infant.lawsuit/app_DynamicOptDex/bx.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/donkey.infant.lawsuit/app_DynamicOptDex/oat/x86/bx.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/donkey.infant.lawsuit/app_DynamicOptDex/bx.json
    Filesize

    485KB

    MD5

    f8cd81c01e2a4de9414fb687e63a19fb

    SHA1

    fff45d63adc55e4c367fae2568155fc50c3e8f3f

    SHA256

    1b70678ffb46e048b52d955841becd838e6b8750d768a6d42dc81866f83a8586

    SHA512

    6c54791e8d7f04d6ab9776d8d8f38a550dbdf1f2e4e0f1998bb12eefd4eeb33299d52b3221e015bcf0c20aca39911413c108520c0be82349e2c6f16922c01f30

    Download Submit

  • /data/data/donkey.infant.lawsuit/app_DynamicOptDex/bx.json
    Filesize

    485KB

    MD5

    53543796019016b0a01182808d4d5421

    SHA1

    02176ca66d30ccdc06ef106d4b9bfef21dd937c9

    SHA256

    a79928caa651a9f12415ca396ae02eb9ed38a928b7324058259bef5e6c6c5f9b

    SHA512

    dba8b9489d77478635a7a0185233de4d7f8837e0dadcb2f80aefc01453602844ce0427378c1c524fdfb5c0e252b6aa8dd7bb7cd4dfefdb09b59ea033ae4b73d4

    Download Submit

  • /data/data/donkey.infant.lawsuit/app_DynamicOptDex/oat/bx.json.cur.prof
    Filesize

    335B

    MD5

    a48439b2106534482c09a11fbfa6a476

    SHA1

    c26c4d2b8c2e6df95d875c61a39c946af994894c

    SHA256

    dd140d378182a14226b660bdb3267a9302fe9a359ec5af1d7dde1e9f5c36b49d

    SHA512

    aaecd25a130f79f501e5b69fb2ce4424af13cb7b75a145326789ca023d5c22b66d07745c840561a5aca4493fea09a4e3e45648d65ed7829c2f071998124ecd26

    Download Submit

  • /data/user/0/donkey.infant.lawsuit/app_DynamicOptDex/bx.json
    Filesize

    485KB

    MD5

    97639bb1d86126860af1add501871a6e

    SHA1

    6a2b162a60819113853ac046b0b2fa766c8f0bc7

    SHA256

    ad51bd38ddc16fe2445282e959468db388b1c0e6d08ab2d2d6484e2120cd735d

    SHA512

    6908a6d3fed3120bbc34f4d8e09a213ea6014d312881bab7ebbe24bef73c82f0163877af37224d7feb42d199bfd801999be08707be5d54dca76d3dae85831200

    Download Submit