Analysis
-
max time kernel
179s -
max time network
190s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
09-08-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa.apk
-
Size
3.4MB
-
MD5
52301365a3a1a1d6b6c9e94271159768
-
SHA1
5da4246d752d12229847cc7b25a2388c5423bcec
-
SHA256
63d0fcd106ab92ef9bb44c4f9d5b559531cd24dcc62e377717cb9f885a5c8caa
-
SHA512
8d655ef2182d460a46d67b3e7e678a3ad2ee4d05b12a1d8b73164f7e1a4d8ba3c0211d3de2338401544b4f7eb25e63b190a40aeec33065f14b3da9029d314ea4
-
SSDEEP
98304:92PObmie/f4BrTFASJwbJOxPrDW4MAnIU/NefHZCFvh:92P8mieIB/mSJqJKDWZALNtP
Malware Config
Extracted
ginp
2.8d
mp76
http://dirtysocks.top/
http://jackblack.cc/
-
uri
api201
Extracted
ginp
http://dirtysocks.top/api201/
http://jackblack.cc/api201/
Signatures
-
Ginp
Ginp is an android banking trojan first seen in mid 2019.
-
pid Process 4479 sweet.govern.sphere -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json 4479 sweet.govern.sphere /data/user/0/sweet.govern.sphere/app_DynamicOptDex/DgmqWy.json 4479 sweet.govern.sphere -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId sweet.govern.sphere Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText sweet.govern.sphere Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId sweet.govern.sphere -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock sweet.govern.sphere -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground sweet.govern.sphere -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction sweet.govern.sphere android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction sweet.govern.sphere android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction sweet.govern.sphere -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo sweet.govern.sphere -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS sweet.govern.sphere -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS sweet.govern.sphere
Processes
-
sweet.govern.sphere1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4479
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD5532f47bd059879853d45c9024db2f5d5
SHA1c9d79c9b9e1b7cd6f30e6d62b12aaefbb8479c8d
SHA2561604134d0973b5f8777d3da241f3f3c1d554e4b19959b892ec88f7ef3b3ba883
SHA512064365fde0f49636f87d153f8764de45c25d61b66240957f9acad3f8613c3c0295008e4630b6905e389a14b1c38f7c77d7643a087e803d9309810b23b8cb63e8
-
Filesize
472KB
MD5dc8c11ffdc73f8fcdce7097097f51d16
SHA1b9a2e4cacc1ae9d2cfc9ead61cd2b07d5fa1109b
SHA2568d40f27d41ec4537af28858e19df9d58f7befc33de42a7a8107b57b380fbb308
SHA5120bc247a08a9475167876d8a78b750848369865f2ebf7744ea7b78f711f3caf328b17ee19e153738e71229e486c0fc617d5267564b621525b5f4b1cdb2329d9bc