Analysis

  • max time kernel
    179s
  • max time network
    192s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09-08-2024 22:14

General

  • Target

    7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c.apk

  • Size

    3.5MB

  • MD5

    82a844bd0c82f91381b9d567adf014e5

  • SHA1

    61be931e88b3ff5ac6b42216ad6a22c01b7105fd

  • SHA256

    7ff64f6a0ebac8b2601ec169f0172e589a80f6f1347034f9fa368187f427b70c

  • SHA512

    eb86ae1c8c25cae023d5a2296701514cabfa42f5cd1e1dc3d2e8aba31f06320e7a4ad33e8922bc82d0cc8b0f81ac459d88ca041ef46cfc7ff48f6ed50d3ed8fa

  • SSDEEP

    98304:7hpBRKPfW06MTkpv9HlRCCdtwvO4pE17rDHzJdrSwxIYc4tUl:9pKTvTkN92ewv7YHzHrSwxTe

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp76

C2

http://dirtysocks.top/

http://jackblack.cc/

Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://dirtysocks.top/api201/

http://jackblack.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

Processes

  • protect.onion.secret
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4595

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json

    Filesize

    411KB

    MD5

    21ec2891e060a8df450c4bcee4e5e6fd

    SHA1

    dd5a23796226b64fc000ebc10697c5eb1937849d

    SHA256

    fa9210897df1c1834d4b73bc62efe6c4eec95e40c9f16924e88f94c7dc2b9f41

    SHA512

    b106ff0f4a47cca209284e4422037248af89f83ac448dc6d25415b3c321f3a04e5c6b6c7ae2ef75a753adb3295e5a50e17ab98673cae25ee192f34e7b57473cb

  • /data/user/0/protect.onion.secret/app_DynamicOptDex/ZtMCg.json

    Filesize

    411KB

    MD5

    03fdf953812d27f51729c20b88e0e657

    SHA1

    6b852d36552296a5843af0fd65e7d7256b15f5f7

    SHA256

    b96e5d791f937fcb634ee193230e0b950976a412ad07273c3cc6875ecf3873c3

    SHA512

    a5cedd0acbf1242a37570231a472d33d93cad727266e5747bfc8830a866761c84e60e5b33a1a9eed4e762f5f158121ee1b10e64c485dbf25c84574b9157fe53a