Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

63d0fcd106...aa.apk

android-9-x86

10

63d0fcd106...aa.apk

android-10-x64

10

63d0fcd106...aa.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    187s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09/08/2024, 22:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa.apk

  • Size

    3.4MB

  • MD5

    52301365a3a1a1d6b6c9e94271159768

  • SHA1

    5da4246d752d12229847cc7b25a2388c5423bcec

  • SHA256

    63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa

  • SHA512

    8d655ef2182d460a46d67b3e7e678a3ad2ee4d05b12a1d8b73164f7e1a4d8ba3c0211d3de2338401544b4f7eb25e63b190a40aeec33065f14b3da9029d314ea4

  • SSDEEP

    98304:92PObmie/f4BrTFASJwbJOxPrDW4MAnIU/NefHZCFvh:92P8mieIB/mSJqJKDWZALNtP

Score
10/10
ginpmp76bankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

ginp

Version

2.8d

Botnet

mp76

C2

http://dirtysocks.top/

http://jackblack.cc/
Attributes
  • uri

    api201

Extracted

Family

ginp

C2

http://dirtysocks.top/api201/

http://jackblack.cc/api201/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

    bankertrojaninfostealerginp
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • sweet.govern.sphere
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4269
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/sweet.govern.sphere/app_DynamicOptDex/oat/x86/DgmqWy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4295

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
  • flag-us
    DNS
    dirtysocks.top
    Remote address:
    1.1.1.1:53
    Request
    dirtysocks.top
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.169.14
  • flag-us
    DNS
    jackblack.cc
    Remote address:
    1.1.1.1:53
    Request
    jackblack.cc
    IN A
    Response
    jackblack.cc
    IN A
    107.178.223.183
    jackblack.cc
    IN A
    104.155.138.21
  • flag-us
    POST
    http://jackblack.cc/api201/_ping.php
    Remote address:
    107.178.223.183:80
    Request
    POST /api201/_ping.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jackblack.cc
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 689
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-us
    POST
    http://jackblack.cc/api201/_ping.php
    Remote address:
    107.178.223.183:80
    Request
    POST /api201/_ping.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jackblack.cc
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 659
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-us
    POST
    http://jackblack.cc/api201/_ping.php
    Remote address:
    104.155.138.21:80
    Request
    POST /api201/_ping.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jackblack.cc
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 698
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-us
    POST
    http://jackblack.cc/api201/_ping.php
    Remote address:
    104.155.138.21:80
    Request
    POST /api201/_ping.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jackblack.cc
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 659
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • flag-us
    POST
    http://jackblack.cc/api201/_ping.php
    Remote address:
    107.178.223.183:80
    Request
    POST /api201/_ping.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jackblack.cc
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 431
    Response
    HTTP/1.1 200 OK
    Content-Length: 0
  • 216.58.213.10:443
    tls, https
    202 B
     40 B
     1
    1
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 172.217.169.14:443
    android.apis.google.com
    tls
    4.7kB
     8.6kB
     14
    22
  • 107.178.223.183:80
    http://jackblack.cc/api201/_ping.php
    http
    1.3kB
     306 B
     6
    5

    HTTP Request

    POST http://jackblack.cc/api201/_ping.php

    HTTP Response

    200
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    http://jackblack.cc/api201/_ping.php
    http
    1.2kB
     306 B
     6
    5

    HTTP Request

    POST http://jackblack.cc/api201/_ping.php

    HTTP Response

    200
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 104.155.138.21:80
    http://jackblack.cc/api201/_ping.php
    http
    1.3kB
     306 B
     7
    5

    HTTP Request

    POST http://jackblack.cc/api201/_ping.php

    HTTP Response

    200
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 142.250.180.14:443
    520 B
     10
  • 172.217.169.34:443
    520 B
     10
  • 104.155.138.21:80
    http://jackblack.cc/api201/_ping.php
    http
    1.5kB
     306 B
     11
    5

    HTTP Request

    POST http://jackblack.cc/api201/_ping.php

    HTTP Response

    200
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 104.155.138.21:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    jackblack.cc
    360 B
     6
  • 107.178.223.183:80
    http://jackblack.cc/api201/_ping.php
    http
    1.0kB
     306 B
     6
    5

    HTTP Request

    POST http://jackblack.cc/api201/_ping.php

    HTTP Response

    200
  • 107.178.223.183:80
    jackblack.cc
    300 B
     5
  • 107.178.223.183:80
    jackblack.cc
    300 B
     5
  • 104.155.138.21:80
    jackblack.cc
    180 B
     3
  • 107.178.223.183:80
    jackblack.cc
    180 B
     3
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     288 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.179.234
    216.58.204.74
    172.217.16.234
    142.250.200.10
    142.250.200.42
    142.250.178.10
    172.217.169.42
    216.58.212.234
    172.217.169.74
    142.250.187.202
    142.250.180.10
    216.58.201.106
    142.250.187.234

  • 1.1.1.1:53
    dirtysocks.top
    dns
    60 B
     130 B
     1
    1

    DNS Request

    dirtysocks.top

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.169.14

  • 1.1.1.1:53
    jackblack.cc
    dns
    58 B
     90 B
     1
    1

    DNS Request

    jackblack.cc

    DNS Response

    107.178.223.183
    104.155.138.21

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json
    Filesize

    472KB

    MD5

    532f47bd059879853d45c9024db2f5d5

    SHA1

    c9d79c9b9e1b7cd6f30e6d62b12aaefbb8479c8d

    SHA256

    1604134d0973b5f8777d3da241f3f3c1d554e4b19959b892ec88f7ef3b3ba883

    SHA512

    064365fde0f49636f87d153f8764de45c25d61b66240957f9acad3f8613c3c0295008e4630b6905e389a14b1c38f7c77d7643a087e803d9309810b23b8cb63e8

    Download Submit

  • /data/data/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json
    Filesize

    472KB

    MD5

    dc8c11ffdc73f8fcdce7097097f51d16

    SHA1

    b9a2e4cacc1ae9d2cfc9ead61cd2b07d5fa1109b

    SHA256

    8d40f27d41ec4537af28858e19df9d58f7befc33de42a7a8107b57b380fbb308

    SHA512

    0bc247a08a9475167876d8a78b750848369865f2ebf7744ea7b78f711f3caf328b17ee19e153738e71229e486c0fc617d5267564b621525b5f4b1cdb2329d9bc

    Download Submit

  • /data/data/sweet.govern.sphere/app_DynamicOptDex/oat/DgmqWy.json.cur.prof
    Filesize

    369B

    MD5

    3cd7c9d8d983b707403226cb00404cb5

    SHA1

    c0892ee54704e89fd8d3c775045d974c3840a89b

    SHA256

    f8a6fb43e5661f08dc669c71bcc7e8b0b0c1664f20c99aff73e932006665e52a

    SHA512

    330fbabf267a46c2b1b1d486deb7450c6aab9efd8515596831cc5993a0c88e8e41ba88ee047382c238dc6e02b9e783e89eb80bf34f32667251b94affe482a63f

    Download Submit

  • /data/user/0/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json
    Filesize

    472KB

    MD5

    f751313d509d2ea13f7ca5af44148b4e

    SHA1

    b810e5497389b33da60d2a100e524eee6fa8e457

    SHA256

    15909822838fc6e757a81d411098573742d9a188be5cd661ec609a9786144b69

    SHA512

    ed7933845c4fe239f8cbdd62ffa0522e62315ee421b5d5d30f020b79a5ef0aa41afd82d0ecde1ac9a501174dc6f5483d02ab4e84e0164e0e47633feb770ce2d2

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.