nexus | 1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128

Analysis

max time kernel
179s
max time network
187s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
29/08/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128.apk
Size

4.7MB
MD5

bd848a07e2988d7c58669292d09f311f
SHA1

975146d6d6042e55a555346f25b870ef51662e83
SHA256

1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128
SHA512

9887967f1194cc28b37ed771fa2f400922a89322274434dde805fd915eae5a9711efe1abb12a27cb8705f94837e9685b3cdb620cac944a20a45dab6734125bc8
SSDEEP

98304:D6fO6TBKEgRoMHNdcCKYeufeAnjUT/nUlF3nYM5G2Ndup0Ni40g0SpLxNc:+fOCKnjNOC7fTnjUjUl9YMIEupBZr

Score

10^/10

nexus banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

nexus

http://85.217.144.111/

Signatures

Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
banker trojan infostealer nexus

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.fault.junior/app_DynamicOptDex/FQ.json	5066	com.fault.junior

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fault.junior
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fault.junior

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.fault.junior

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	com.fault.junior

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.fault.junior

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fault.junior

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.fault.junior

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fault.junior

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.fault.junior

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.fault.junior

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.fault.junior

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.fault.junior

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.fault.junior

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.fault.junior

com.fault.junior
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:5066

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
2.2MB

MD5
95c111d4533692543648fa432e7eaf8b

SHA1
e9b6057ab6eaa03bd6a8e47fc44e7a2b5132bb72

SHA256
13add8de3f6a709080a26836cf66d54d32d2dd9d125105d2722d5ee13969ebab

SHA512
0438aa4e05dd80c81af9b4b90e6772ce5351ccff350608de0c059dbb0f50cac9f209113941f3abce9e7e825c1115d872ec2580b47180a435e3f1c8bfd3015624

Download Submit
/data/data/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
2.2MB

MD5
64c4734a59f2cae419697863e8e5228b

SHA1
477d2341f20d8f53c68914db4810418941b4b0c4

SHA256
3a636e0b6cd67e825fd07d0503e850a25cdaea5b89ae1a24282b8f97e5341660

SHA512
480578f51af0036b0c149ffaf57861103461e183d3d23f49c9a4ae658d93cf7bf202db2762565599904b1f97851ece4018f7b05f57cb43af21e5d92dab335e51

Download Submit
/data/data/com.fault.junior/app_DynamicOptDex/oat/FQ.json.cur.prof

Filesize
4KB

MD5
890bfe946fc8e38f53e8d738fba51f4f

SHA1
e94b4f418a60bf5d72cd6d1f45e72421faf1e6ba

SHA256
e5309cd5e07c340dd8f6ed4d85b07902a3e6a4c8f65aaec5374144fb6d6c4969

SHA512
36f255637ba5141af317537a0742081d1c044c60e66132c00fc67e67bc098d98b72ad0abce056925cea19bc7fdb203efb5f44412f1886f087b1c282af72e5eb7

Download Submit
/data/data/com.fault.junior/app_DynamicOptDex/oat/FQ.json.cur.prof

Filesize
5KB

MD5
2db9f9f2ee54c8c3252ca3119a164a90

SHA1
a296a9a5721c0f07578bb538b5cbcaa8a7fde869

SHA256
1118113405e6c36bbec9e3aa829177014fe3655fc5eee0495927d58294644681

SHA512
15cdb324798c04e74fe4e33f3cc3e4806d334a74f4c1231f8b19bd2ecda3abebcb1f46c527f091a81fe53ccc962ef4dc263523587023a9b19b469cedd73eec32

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f491794f071f5d1515e7181d738186d6

SHA1
a85adb04d2263f8e24d16a1e21ae993c20b98c63

SHA256
9136d1a3917a7bdaf23b1267e7be3ff6d87034c87d1cad7d0b1d6dc56811dd43

SHA512
70c54a9808cc2dbefa1e256b6dd13b428c9c84f0e49695c014bc2cc2a6dfe9af7ada4cbc0fdc2902555bc013a18ee0d82d36dd82f37d81cc3ece5e57b82aece1

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
902d8c0fc7a4c785d03d4d48b11fb45d

SHA1
90b77311b4b358cf1e0f3051633805173163db69

SHA256
82b20112398b15f36356628952d54acd0c7e03de4fe516062fe8edb8e7057a7f

SHA512
8e0a0b7d4f294642f47b4ae502bbc15e212334e60cd7f59e6692f9072189128357ee56d8734234e53c89aae53eb076f3fcd025340ece96d9980def9219997db6

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
94051f20e72daf487a3b690f065e3ccc

SHA1
2d9d9590593af76b1459cab0b7c2f5a84ac5e4b3

SHA256
d3f3e89c2222602e343db74c5b06faeba68961b36685344229719292f5b22b56

SHA512
24b024e809e5d7db753b875cdfbaf6433c299920ca8555aa006920a4fcc81c847632d55f030569d408daacd39220c4dc28603e1328b1971adbc3e9e0a7e48aef

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
229KB

MD5
f7d7a3b9d3e629ca9c4d8a2b3c9aa2fb

SHA1
3c066d000ab42d5d3f58a3b19598de97271b0289

SHA256
9d5a0ec87b0ad9c0d220e6ef1119ce080af55eee95939b3ced5b930f4b51416e

SHA512
583f82e98e327ec35f06e7005cbc1472d54890c81b6d69269ce22918065ed776d469b37603a2810a0139518322d66555d4dc7c3e05aef74aef734f0e754cfa07

Download Submit
/data/user/0/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
6.1MB

MD5
84cbe9376e34550c1c7aaf8dc1f651f4

SHA1
ede6b527a761edbaf37f11d0e71caf8ae3039ba5

SHA256
36b8ad0bbf2458fdae9743cb87a2c9dbcef990581c90fba7566ebe414c31e210

SHA512
b8b96e77e77ea4803b9bdb27ed685d44878ea4fd2ab35abc9dbede3b0028e60d38c989448fe6377613684b85361f8ee38ad7ba58d379b608cc33ed325fd49530

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads