Analysis
-
max time kernel
179s -
max time network
192s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
09-08-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk
-
Size
3.5MB
-
MD5
82a844bd0c82f91381b9d567adf014e5
-
SHA1
61be931e88b3ff5ac6b42216ad6a22c01b7105fd
-
SHA256
7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c
-
SHA512
eb86ae1c8c25cae023d5a2296701514cabfa42f5cd1e1dc3d2e8aba31f06320e7a4ad33e8922bc82d0cc8b0f81ac459d88ca041ef46cfc7ff48f6ed50d3ed8fa
-
SSDEEP
98304:7hpBRKPfW06MTkpv9HlRCCdtwvO4pE17rDHzJdrSwxIYc4tUl:9pKTvTkN92ewv7YHzHrSwxTe
Malware Config
Extracted
ginp
2.8d
mp76
http://dirtysocks.top/
http://jackblack.cc/
-
uri
api201
Extracted
ginp
http://dirtysocks.top/api201/
http://jackblack.cc/api201/
Signatures
-
Ginp
Ginp is an android banking trojan first seen in mid 2019.
-
Processes:
protect.onion.secretpid process 4595 protect.onion.secret -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
protect.onion.secretioc pid process /data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json 4595 protect.onion.secret /data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json 4595 protect.onion.secret -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
protect.onion.secretdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId protect.onion.secret Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText protect.onion.secret Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId protect.onion.secret -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
protect.onion.secretdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock protect.onion.secret -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
protect.onion.secretdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground protect.onion.secret -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
protect.onion.secretioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction protect.onion.secret android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction protect.onion.secret android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction protect.onion.secret -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
protect.onion.secretdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo protect.onion.secret -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
protect.onion.secretdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS protect.onion.secret -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
protect.onion.secretdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS protect.onion.secret
Processes
-
protect.onion.secret1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4595
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD521ec2891e060a8df450c4bcee4e5e6fd
SHA1dd5a23796226b64fc000ebc10697c5eb1937849d
SHA256fa9210897df1c1834d4b73bc62efe6c4eec95e40c9f16924e88f94c7dc2b9f41
SHA512b106ff0f4a47cca209284e4422037248af89f83ac448dc6d25415b3c321f3a04e5c6b6c7ae2ef75a753adb3295e5a50e17ab98673cae25ee192f34e7b57473cb
-
Filesize
411KB
MD503fdf953812d27f51729c20b88e0e657
SHA16b852d36552296a5843af0fd65e7d7256b15f5f7
SHA256b96e5d791f937fcb634ee193230e0b950976a412ad07273c3cc6875ecf3873c3
SHA512a5cedd0acbf1242a37570231a472d33d93cad727266e5747bfc8830a866761c84e60e5b33a1a9eed4e762f5f158121ee1b10e64c485dbf25c84574b9157fe53a