Analysis
-
max time kernel
179s -
max time network
134s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
06-08-2024 22:09
General
-
Target
996de5da046786cf585f6ce5fb9ee4446f3afeaac699823506f741a5e55b8665.apk
-
Size
1.9MB
-
MD5
dc3567738517d6a03e41efb4fb842e0c
-
SHA1
eed9c5df2f65b4367c382fd7b96885557c12e1e9
-
SHA256
996de5da046786cf585f6ce5fb9ee4446f3afeaac699823506f741a5e55b8665
-
SHA512
a87b475f3d9534bba32aa37763342faa4adea913704f2d7f40baa238e0c592fcfeadd39ef1c395303d795a45511c727536acec6292881ebea98cf8d8a9c5a236
-
SSDEEP
49152:/Y+h/sOIUfmmGKPepQl0eLYtBDbv4OzSUAhi4dEe0nc+X:/Y+h/sRUfmmGKB03bv45USPdEeC
Malware Config
Extracted
ginp
2.8d
mp14
http://windowtint.top/
http://beastmode.top/
-
uri
api201
Extracted
ginp
http://windowtint.top/api201/
http://beastmode.top/api201/
Signatures
-
Ginp
Ginp is an android banking trojan first seen in mid 2019.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 9 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests enabling of the accessibility settings. 1 IoCs
Processes
-
walnut.minimum.cushion1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD515934aad3c9ffc301a34b061e5e9cc62
SHA1925257116b5855f84663c35fff1408d26eb60e55
SHA2560a36d512abee3346affe22ac483b1254772b13260ccd9d617880dc68fa310736
SHA51255b5413e7f04668de2a3f46595bd5bcb9fb014f6fde070e4c10472eac18fb45c6158fe53f17c4a212891efb9d0d9a50100829a64d073eba925e8355010cd7a85
-
Filesize
384KB
MD568ca7b957db260782067fec25b7a09de
SHA1c62dcb481748549bec193ad088cfef9b8e7d2026
SHA2564ed7c82954a5384fc5d5a1ac81dd35452360a6c2dc5b737990c908ebec77ff85
SHA512b778a678bd14a417a956020d54b1c67a6442dbec101528128743bd546f7c4f0d715905eebc5c80ab7e1bbcb54e43b1451bd4c20829fcce6a790cc4980cc05b28
-
Filesize
384KB
MD54cb3cb0123b1a4e4d99b72fd32bf43a7
SHA11991593edab633d3011a3724faac33839068076d
SHA25615a2a9a85cbc9539d99a77bb047914b255906094e3d08d2ece7d208bf8b5014f
SHA5127816b82595278750d9db4e37e5d0834a240bc619523efdb9a76a591bf7e0d354fa53ac9e782e92a232bb7e3521b5aabc4596fd2293d9ab2c81a1a9935c9f80a0