Overview

overview

10

Static

static

6

7ff64f6a0e...0c.apk

android-9-x86

10

7ff64f6a0e...0c.apk

android-10-x64

10

7ff64f6a0e...0c.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    188s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-08-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk

  • Size

    3.5MB

  • MD5

    82a844bd0c82f91381b9d567adf014e5

  • SHA1

    61be931e88b3ff5ac6b42216ad6a22c01b7105fd

  • SHA256

    7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c

  • SHA512

    eb86ae1c8c25cae023d5a2296701514cabfa42f5cd1e1dc3d2e8aba31f06320e7a4ad33e8922bc82d0cc8b0f81ac459d88ca041ef46cfc7ff48f6ed50d3ed8fa

  • SSDEEP

    98304:7hpBRKPfW06MTkpv9HlRCCdtwvO4pE17rDHzJdrSwxIYc4tUl:9pKTvTkN92ewv7YHzHrSwxTe

Score
10/10
ginpmp76bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp76

C2

http://dirtysocks.top/

http://jackblack.cc/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://dirtysocks.top/api201/

http://jackblack.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • protect.onion.secret
    1⤵
    • Removes its main activity from the application launcher
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/protect.onion.secret/app_DynamicOptDex/oat/x86/ZtMCg.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4287

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

3
T1633

System Checks

3
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/protect.onion.secret/app_DynamicOptDex/ZtMCg.json
    Filesize

    411KB

    MD5

    21ec2891e060a8df450c4bcee4e5e6fd

    SHA1

    dd5a23796226b64fc000ebc10697c5eb1937849d

    SHA256

    fa9210897df1c1834d4b73bc62efe6c4eec95e40c9f16924e88f94c7dc2b9f41

    SHA512

    b106ff0f4a47cca209284e4422037248af89f83ac448dc6d25415b3c321f3a04e5c6b6c7ae2ef75a753adb3295e5a50e17ab98673cae25ee192f34e7b57473cb

    Download Submit

  • /data/data/protect.onion.secret/app_DynamicOptDex/ZtMCg.json
    Filesize

    411KB

    MD5

    03fdf953812d27f51729c20b88e0e657

    SHA1

    6b852d36552296a5843af0fd65e7d7256b15f5f7

    SHA256

    b96e5d791f937fcb634ee193230e0b950976a412ad07273c3cc6875ecf3873c3

    SHA512

    a5cedd0acbf1242a37570231a472d33d93cad727266e5747bfc8830a866761c84e60e5b33a1a9eed4e762f5f158121ee1b10e64c485dbf25c84574b9157fe53a

    Download Submit

  • /data/data/protect.onion.secret/app_DynamicOptDex/oat/ZtMCg.json.cur.prof
    Filesize

    290B

    MD5

    a591a86ed14ef0ea59cd4c4692768b71

    SHA1

    e00044b756f821468abc9ec2710c131202811029

    SHA256

    afe1a15059be353d22eabc82e27d1b88d1c7d8e144cea8f300810d9f936c40ae

    SHA512

    72505089ece68a5c748451ce8aa558a0f7f07471e2a4b54389a0739f50728c97c8f488f28ec2b10d7223068c7863933d2dd99a0e079e8531518d110f938913fa

    Download Submit

  • /data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json
    Filesize

    411KB

    MD5

    e1f4bf0547d786680f9d4d9c93bba283

    SHA1

    10edb27f819316bbb0c898dbf438b87b33871fb2

    SHA256

    4164c871d17c3c10f0926d2828c9328ea6960c024c531c3e2c330d2a9ef3fc68

    SHA512

    63e1dc53f87c9e98b0d166bd31be4682cde10464b3554cee9bea252a288cad5deeb17652d342975a21283440d5c5533e8fa62f6927b78ea093b05ac620fb7a7b

    Download Submit