Overview

overview

10

Static

static

6

0f2d432a69...49.apk

android-9-x86

10

0f2d432a69...49.apk

android-10-x64

10

0f2d432a69...49.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    188s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    07/08/2024, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f2d432a696f149181f7345b1662aa66c8afca70b41bc9c85b2d7c6634142949.apk

  • Size

    4.9MB

  • MD5

    acabd40f1b648a85d436b66051e956ef

  • SHA1

    946356509ab3ecf8a188f41a5341c173067765bc

  • SHA256

    0f2d432a696f149181f7345b1662aa66c8afca70b41bc9c85b2d7c6634142949

  • SHA512

    83028ab602c2a660a77e770a8d311690c6605b1694052d65ab49ac4d1264be29fd1aa48ac387b3c0ccad639ee10e3053f9bd54d8cc4307a0ff872d015850afca

  • SSDEEP

    98304:5DLAThoeWVq6EiHQnNC0fDWuAHkPM2mrRH5XbxaUqtUQ08tKYNbLIemcFU:53IVWVzHQNjauE0M2gRH5XbKrtHS

Score
10/10
nexusbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

nexus

C2

http://45.143.138.133

http://gecebizimhaberlerdeizle.co.vu/

http://haberasanbizdenozelgundem.co.vu/

Signatures

  • Nexus

    Nexus is an Android banking trojan related to the SOVA banking trojan.

    bankertrojaninfostealernexus
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 24 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.alert.castle
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4521

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.alert.castle/app_DynamicOptDex/oat/uZdhso.json.cur.prof
    Filesize

    3KB

    MD5

    bafbda57a747214a7bb0de93cd6fff9e

    SHA1

    28007e305bff03689fb1d4a6da38774496206476

    SHA256

    f01fd3ba49c69cf6236b2746d724e7398fe8d64446b35497c311b43a57430894

    SHA512

    98e1e89a8a17950765a4f6e9427c724ad91a2c7f0ea59801f49ebac8d022a638827e114cf7c9342488802aceda5428bc75b5933e9e626aa1d2cf53fe7e218a41

    Download Submit

  • /data/data/com.alert.castle/app_DynamicOptDex/uZdhso.json
    Filesize

    2.2MB

    MD5

    efa90868a21fc81acd2487e42b63ed58

    SHA1

    27c0d7361b8442938e05b5244a42c56ba0565aff

    SHA256

    153f2a70151c465b6fa00babe61d55b6a3e25d22eb96c40194f06242feacff5f

    SHA512

    4ef0f056c76fbecc12c88c4d21a99d0f2ef27cd9fdb1e47cd3257629db6ef81dc91033a27cb2550b85c06d44dae72ecff552e7e4a19ee0dd06577fb8cb5d0c4f

    Download Submit

  • /data/data/com.alert.castle/app_DynamicOptDex/uZdhso.json
    Filesize

    2.2MB

    MD5

    eb68d6d89a6b39127bc645fa320c79e8

    SHA1

    fea1bc7be40e9b0c34a291dd36294f50fcf92b3e

    SHA256

    45ad8acf5bf7b86c38fbeee3e7b2301f1eaa5fe397a572a4bf6309eedd746285

    SHA512

    b0951befc046ba75c47dec9d1f37307cba9d8ef57bc3c578c84f95dccff968d2ff2b6198cdd139d8439ca3cd65b27419f051e8f140813811f628d00bed24540a

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    7e0fea5f3f8f861c3893aca6788839af

    SHA1

    df9916ffe67e4fecbe4c33f0d22f1e97f6444169

    SHA256

    56998eb336c7ac6fc25a95c0294b6c3b3c7f29f33b8dfb8d7500e781c036a13a

    SHA512

    5f951cf913ba7112467afb1b6468ee84aec5b7d5e9e2aa34d875eb51ca82afaffa5f91e7a315a5408d80a5f5b8e0a129ea04ae042c455cd9c15932f02e72b177

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    6582be92497e9689cadf4008d8dadee0

    SHA1

    10c9cdf083ef9664d73cf2c9126907b352d688d8

    SHA256

    47f67a634242e1b3426544721b609806919b637633f83e62902ef46d32fb7796

    SHA512

    3eeb20cab4d6e578e2f48443602f4e65fbadc9827443891122909ab35c51d20540b9e5e3b04a46516e421681dcb1c78a032fb7a03bf3cea94de2e54a770a94ff

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    a38929a4c76a038147cfb9ac08effe84

    SHA1

    e928d04b9b7263de37e915724b021f3ef029ce12

    SHA256

    6dade4c21178fd6429ddd4e63eae1f7fc4f1124725dd62664dca7c1e1c3d59b2

    SHA512

    38b8f529b73b5125583ac2a136a24e6f01476a13c8546799061a82c23aae9a0bcea6a9be3c60ee91631b572c8312db14903b44766655431be8d2fc11a17310db

    Download Submit

  • /data/data/com.alert.castle/no_backup/androidx.work.workdb-wal
    Filesize

    229KB

    MD5

    ebc70a9a687cf0755e9916e098d2c232

    SHA1

    573a13023c760a083b789c83272da890e94786bc

    SHA256

    943ddc50473d0616b723f8ba0a6fd2c8e233dbdc97c725c3a6cb1697ee14edb9

    SHA512

    735df800bb443d3ff6ec49f5be7aadd2785b8f3becd395db018e96b924365d7344507034191d4eb48b88f602e78c5e668ee0c9847e9504c0a0c644c29c9aa3a3

    Download Submit

  • /data/user/0/com.alert.castle/app_DynamicOptDex/uZdhso.json
    Filesize

    6.1MB

    MD5

    802a753d1ffbc857c8b91fb91d8eb890

    SHA1

    64cf4cc4d7feab9004a275fd6a05cadf93917cf7

    SHA256

    ba641a60a99e49f0e0870eaf0ea0d550171108981eec64ff2516b332e28ec839

    SHA512

    5492e875c4cb9135a18d5f20e64359507133493c5bfc3e7dcaf281f750148538dc8b073ad435f314141dbf7c1e8cc5acb2950ad34d4f6865591215343fee2501

    Download Submit