nexus | 1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128

Analysis

max time kernel
27s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
29/08/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128.apk
Size

4.7MB
MD5

bd848a07e2988d7c58669292d09f311f
SHA1

975146d6d6042e55a555346f25b870ef51662e83
SHA256

1db47973bca9f92224b2f5976541c967cb0b2bdff04a66a700db8201d7aa5128
SHA512

9887967f1194cc28b37ed771fa2f400922a89322274434dde805fd915eae5a9711efe1abb12a27cb8705f94837e9685b3cdb620cac944a20a45dab6734125bc8
SSDEEP

98304:D6fO6TBKEgRoMHNdcCKYeufeAnjUT/nUlF3nYM5G2Ndup0Ni40g0SpLxNc:+fOCKnjNOC7fTnjUjUl9YMIEupBZr

Score

10^/10

nexus banker collection credential_access discovery evasion execution impact infostealer persistence trojan

Malware Config

Extracted

Family

nexus

http://85.217.144.111/

Signatures

Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
banker trojan infostealer nexus

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.fault.junior/app_DynamicOptDex/FQ.json	4471	com.fault.junior

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fault.junior

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.fault.junior

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.fault.junior

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fault.junior

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.fault.junior

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.fault.junior

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.fault.junior

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.fault.junior

com.fault.junior
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the contacts stored on the device.
- Acquires the wake lock
- Queries information about active data network
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4471

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
2.2MB

MD5
95c111d4533692543648fa432e7eaf8b

SHA1
e9b6057ab6eaa03bd6a8e47fc44e7a2b5132bb72

SHA256
13add8de3f6a709080a26836cf66d54d32d2dd9d125105d2722d5ee13969ebab

SHA512
0438aa4e05dd80c81af9b4b90e6772ce5351ccff350608de0c059dbb0f50cac9f209113941f3abce9e7e825c1115d872ec2580b47180a435e3f1c8bfd3015624

Download Submit
/data/data/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
2.2MB

MD5
64c4734a59f2cae419697863e8e5228b

SHA1
477d2341f20d8f53c68914db4810418941b4b0c4

SHA256
3a636e0b6cd67e825fd07d0503e850a25cdaea5b89ae1a24282b8f97e5341660

SHA512
480578f51af0036b0c149ffaf57861103461e183d3d23f49c9a4ae658d93cf7bf202db2762565599904b1f97851ece4018f7b05f57cb43af21e5d92dab335e51

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
aadc7ab32abd49bbb51d24b2fa9f7cb8

SHA1
09a235882aa381078e50238dea19c4cabf8c179f

SHA256
1b20e6d2eb5512a500770399a327b7f9bbef03e41eb2f1594dbcfd862f5884de

SHA512
77c90bb1a710daa99480ca6603ece942c74e7e53b33662ee35ea88845aa93c3b7b39858ea194de11166d2d8c045f2a7a4b9bfbb1827791b2a82a77a9a97cf602

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
55206e41bab4342bbd85b90f116c96bc

SHA1
c9040913ba63d97cb8911aa9478fa0dc2b12fdf9

SHA256
017e134dcf39d16489db849c5a2dfa0414c4ccb06b2bd24e7c544285e95f4572

SHA512
ff5e15d69e641d999bd6414d1e150a1cb24876660d990f8392627edf5c20585907cbb31adcfcb4d27c2631b0954a065494c257e18b4082c56b6ae0187fe24b76

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
5c0e08cdf2667c4f5d467f7e8dc34f0c

SHA1
b0c08e6373a2123eea3b7a2fec2fcc0ed445d96b

SHA256
0922b411b0928018286792f382945d1c985afdccd5452b20c18b3ff2afbf9e08

SHA512
3d9d1c61f8cde4eb6ee75b84eb4eaa8f1594c0f3e71484f5638dabf36a7a12d2ffd03d636fa75d1badcf134a78e0987e28272f8d5064d97b9e424bf7522731a5

Download Submit
/data/data/com.fault.junior/no_backup/androidx.work.workdb-wal

Filesize
229KB

MD5
54c585ca401887cbc89d728fc63e7e81

SHA1
be66d3cddaf77735ead704620e4fce8b3c0350f8

SHA256
4f49d063f83b060a89b9dbe10cf2e81fd76e6e823c97b3cb7183214e9f4ef9dd

SHA512
0b4e64ad77f755b3d616db712aa2e6d31175bfcd8d2a4f7e650b2356d2269b202ed2e1b8149b58fd280d617b4a9efeea8aa6de24a1723f4fe42826f2b82a94e7

Download Submit
/data/user/0/com.fault.junior/app_DynamicOptDex/FQ.json

Filesize
6.1MB

MD5
84cbe9376e34550c1c7aaf8dc1f651f4

SHA1
ede6b527a761edbaf37f11d0e71caf8ae3039ba5

SHA256
36b8ad0bbf2458fdae9743cb87a2c9dbcef990581c90fba7566ebe414c31e210

SHA512
b8b96e77e77ea4803b9bdb27ed685d44878ea4fd2ab35abc9dbede3b0028e60d38c989448fe6377613684b85361f8ee38ad7ba58d379b608cc33ed325fd49530

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads