Overview

overview

10

Static

static

6

996de5da04...65.apk

android-9-x86

10

996de5da04...65.apk

android-10-x64

10

996de5da04...65.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06-08-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996de5da046786cf585f6ce5fb9ee4446f3afeaac699823506f741a5e55b8665.apk

  • Size

    1.9MB

  • MD5

    dc3567738517d6a03e41efb4fb842e0c

  • SHA1

    eed9c5df2f65b4367c382fd7b96885557c12e1e9

  • SHA256

    996de5da046786cf585f6ce5fb9ee4446f3afeaac699823506f741a5e55b8665

  • SHA512

    a87b475f3d9534bba32aa37763342faa4adea913704f2d7f40baa238e0c592fcfeadd39ef1c395303d795a45511c727536acec6292881ebea98cf8d8a9c5a236

  • SSDEEP

    49152:/Y+h/sOIUfmmGKPepQl0eLYtBDbv4OzSUAhi4dEe0nc+X:/Y+h/sRUfmmGKB03bv45USPdEeC

Score
10/10
ginpmp14bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp14

C2

http://windowtint.top/

http://beastmode.top/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://windowtint.top/api201/

http://beastmode.top/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs

Processes

  • walnut.minimum.cushion
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/walnut.minimum.cushion/app_DynamicOptDex/yjM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/walnut.minimum.cushion/app_DynamicOptDex/oat/x86/yjM.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4239

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/walnut.minimum.cushion/app_DynamicOptDex/oat/yjM.json.cur.prof
    Filesize

    333B

    MD5

    1a526bc80cf5fd1c8d8e7a8cf33d6bf3

    SHA1

    283540baa476593083d91aa2dc13861ae2d30601

    SHA256

    fa379ae421c26a489445efb750c2457525d0765e4c1d31d120eb53a06209a658

    SHA512

    36987cab2be93a8cdb9e5ef2d421a18f46c8fe9891e3c354b1d5208fd293e94f83cf62885e3304cc694e117082ab6763702b6745875d9b2609f0a967231fef76

    Download Submit

  • /data/data/walnut.minimum.cushion/app_DynamicOptDex/yjM.json
    Filesize

    384KB

    MD5

    68ca7b957db260782067fec25b7a09de

    SHA1

    c62dcb481748549bec193ad088cfef9b8e7d2026

    SHA256

    4ed7c82954a5384fc5d5a1ac81dd35452360a6c2dc5b737990c908ebec77ff85

    SHA512

    b778a678bd14a417a956020d54b1c67a6442dbec101528128743bd546f7c4f0d715905eebc5c80ab7e1bbcb54e43b1451bd4c20829fcce6a790cc4980cc05b28

    Download Submit

  • /data/data/walnut.minimum.cushion/app_DynamicOptDex/yjM.json
    Filesize

    384KB

    MD5

    4cb3cb0123b1a4e4d99b72fd32bf43a7

    SHA1

    1991593edab633d3011a3724faac33839068076d

    SHA256

    15a2a9a85cbc9539d99a77bb047914b255906094e3d08d2ece7d208bf8b5014f

    SHA512

    7816b82595278750d9db4e37e5d0834a240bc619523efdb9a76a591bf7e0d354fa53ac9e782e92a232bb7e3521b5aabc4596fd2293d9ab2c81a1a9935c9f80a0

    Download Submit

  • /data/user/0/walnut.minimum.cushion/app_DynamicOptDex/yjM.json
    Filesize

    384KB

    MD5

    2cb73a1a6c906b0bc65cdbdb4791c390

    SHA1

    61de79157c7c6f6945c42dc7f093e53b0bc2378e

    SHA256

    0954f9529df7e087ae4381801b548c9de8bccf050e1ee9fc1b8bcd088e9484ad

    SHA512

    2c5344758138f40321290407c123c8bc0268a67585ce323dbb578cdd35a5d99ae7b3393d9e27426dc52b4077fa3683cb4a82c9c8aa6730a21853054ced42cf75

    Download Submit