Analysis

  • max time kernel
    179s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    23-08-2024 02:46

General

  • Target

    ba0f6651ba5d326eafb98852d21f1ca7_JaffaCakes118.apk

  • Size

    2.3MB

  • MD5

    ba0f6651ba5d326eafb98852d21f1ca7

  • SHA1

    e33246543b6101ea8c814e8217206a8eb509731f

  • SHA256

    2dfb463d1cb45b11057be719e4db78a43a4d559105288e7432492b8698ad30b8

  • SHA512

    4896f9a09ccc975320a70ef461af24bf919649ffacfc32eb66d2a09653adb3c22dcf7d7cf58f77024fa4eaeda9369bbc7c6fc52059f8503cf091810a8ebf68d0

  • SSDEEP

    49152:pBzgXeOUhnBCM6vbomao346YH9JkwiCJlZ24Fx/TuUTa+ILJdhUA:pGsyV5L46yJICtF9pa+ILp

Malware Config

Extracted

Family

ginp

Version

2.8c

Botnet

flash1

C2

http://riseagain.top/

http://brandnewcadillac.top/

Attributes
  • uri

    api200

Extracted

Family

ginp

C2

http://riseagain.top/api200/

http://brandnewcadillac.top/api200/

Signatures

  • Ginp

    Ginp is an android banking trojan first seen in mid 2019.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs

Processes

  • ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/KIf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/oat/x86/KIf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4282

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
  • flag-us
    DNS
    riseagain.top
    Remote address:
    1.1.1.1:53
    Request
    riseagain.top
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    brandnewcadillac.top
    Remote address:
    1.1.1.1:53
    Request
    brandnewcadillac.top
    IN A
    Response
  • 142.250.200.10:443
    tls, https
    202 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
    8.7kB
    14
    23
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    272 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.169.74
    142.250.187.202
    142.250.179.234
    142.250.178.10
    172.217.16.234
    216.58.212.202
    142.250.200.42
    142.250.180.10
    216.58.201.106
    142.250.187.234
    216.58.204.74
    142.250.200.10

  • 1.1.1.1:53
    riseagain.top
    dns
    59 B
    129 B
    1
    1

    DNS Request

    riseagain.top

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    brandnewcadillac.top
    dns
    66 B
    136 B
    1
    1

    DNS Request

    brandnewcadillac.top

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/KIf.json

    Filesize

    466KB

    MD5

    78c07e1e8610bcf6741ad98589ee002e

    SHA1

    cc5d34cef22dc5b936be3bb1f2195db84b030c6d

    SHA256

    6224469216b235d81633110027dc4f7edf3055b226d176cf53047b223fdabbc3

    SHA512

    f83b5a8c352438755a759aabbdcd1e51963242ba0ad29fe15bb208082ce73f3878b9db14f000f0dd035136f8ef9a5b66f0f4116775e7de6a53071bb3558c93ab

  • /data/data/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/KIf.json

    Filesize

    466KB

    MD5

    086b552d02583ffb73bdbd357f49ab78

    SHA1

    a7ea7c65520cb5fbc003f4be7a74a4392843f862

    SHA256

    191af0df4368088e64ebdb7fc6b21bd96b4e9a5afbedee853175014853e6810f

    SHA512

    0d5750ef2197192609c46819fffadce08a4eaede77e75d52e73914ac5c935d4b8cf434d12553a34a7f6e141e4088471e08324dbef4e3bca31f91156a64001359

  • /data/data/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/oat/KIf.json.cur.prof

    Filesize

    363B

    MD5

    058aac2ea091872eafe869100f4419dd

    SHA1

    7cd19b6adbc1bb2d29693e02b5632394b132543a

    SHA256

    b48145226f0373f2e40452299332b5172d69e824b2ced4c753d89faac9963b95

    SHA512

    00a93a0fd731030b91fbbf761d293462e2c1c7116d92f94d6785d72a4d2db5a2b45dd629de850c6df1758904476d85a44be32fcc5366df0b4393af45923b1b6a

  • /data/user/0/ndspezcoatunzfzfjdfqxg.uzloueokqtahm.axxru/app_DynamicOptDex/KIf.json

    Filesize

    466KB

    MD5

    5da7b3f9eebfac188337d9f1a82b7575

    SHA1

    4773a643ff3feae5308920c9600526a3b58e2b46

    SHA256

    7509f3a8c097d26bf5e9b316430136d0d4a2e6df4390fa941ca96879a6716708

    SHA512

    d5487c87e5c3d5e50171c89451a85bd4f7e821e362618639e23545f98b5cc755501a8e61637567127e0606ee4bd6521ea0d521fef82239b7f18acf30db51ece0

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.