nexus | 3463bba03f7462cf23da29831ce69643a895c0925b3bf46a596e99f92020485d

Analysis

max time kernel
149s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
20-09-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3463bba03f7462cf23da29831ce69643a895c0925b3bf46a596e99f92020485d.apk
Size

4.8MB
MD5

db81b2219bdfb926428a8186b7d2ea56
SHA1

83f36d09723151c1480361cdf1c57dd24aff0bdd
SHA256

3463bba03f7462cf23da29831ce69643a895c0925b3bf46a596e99f92020485d
SHA512

7c15df9fcf38e605cf147b4ef65acf0dc1063d2f6ba5ac92f1a842197fd0ddd714dc7e6d0e5a75ae4d22a6f16e7d26e5d0ec8518e10411751c0afbd2a5130d76
SSDEEP

98304:N+M/s+sJjmALGRiUXb1MK+bemf6wsbHok1Vm7z6oNNsV1OUmT+DEHAytd0EZLFk:Mh+2pizXRM5LNJgnoQPO7K5ac

Score

10^/10

nexus banker collection credential_access discovery evasion execution infostealer persistence stealth trojan

Malware Config

Extracted

Family

nexus

http://109.206.243.54

http://109.206.243.55

Signatures

Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
banker trojan infostealer nexus

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4246	com.machine.easily
4246	com.machine.easily

Checks Android system properties for emulator presence. 1 TTPs 1 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.product.model	com.machine.easily

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json	4270	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.machine.easily/app_DynamicOptDex/oat/x86/Tdt.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json	4246	com.machine.easily

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.machine.easily
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.machine.easily

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	com.machine.easily

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.machine.easily

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.machine.easily

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.machine.easily

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.machine.easily

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.machine.easily

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.machine.easily

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.machine.easily

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.machine.easily

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.machine.easily

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.machine.easily

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.machine.easily

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.machine.easily

com.machine.easily
1⤵
- Removes its main activity from the application launcher
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4246
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.machine.easily/app_DynamicOptDex/oat/x86/Tdt.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4270

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.machine.easily/app_DynamicOptDex/Tdt.json

Filesize
2.2MB

MD5
66847dd8909c63e501f5accb10f603da

SHA1
5b6c9f9d331930f62c9ce153899869929693a8b0

SHA256
c0d4c929866bcbf89bcc243561f9f3d8501ecb28aa7cb3dffcf5d401f0c0d64a

SHA512
68722fffa54d8ae523182ec9af8457996bd8d07bba1cee097d9ffc6ee3f4b8542bf8d7a7529c7c91eddd792fec7282b9ceab2006ae19b716c554c6b0dcfe0033

Download Submit
/data/data/com.machine.easily/app_DynamicOptDex/Tdt.json

Filesize
2.2MB

MD5
359ac4212288a3b52589868734d75fb0

SHA1
0fab0b48260b1acc7aab74fcc9bfa0d0302a2292

SHA256
c91eeac469d2f41f06659edda118f739b44d2b10321dc7d294c77fe4846815f8

SHA512
06b61216ab1bb43d3b4aae2f26062ef7987a4c128b493f5b93f224cf2dd063760c40b21bed0b1e5046f4e416bce86d5f312304bbd663b01f73a603e6dfd4fe9f

Download Submit
/data/data/com.machine.easily/app_DynamicOptDex/oat/Tdt.json.cur.prof

Filesize
2KB

MD5
d931159689cd176d0294ff05e42db7d7

SHA1
131ceceb495375fe998661ce7109e5929a747c18

SHA256
4716d9b819584d58326fe3328c3f7a79c40531d7317e7d51ceece0cef7c0cf7b

SHA512
102afae321139e80c454f1edc3ab0b2cc6347910de50b106eff1b6ee11d545d2f61c7460172a88a7153646948592217519174d089ff87dc345a005fcbb2104de

Download Submit
/data/data/com.machine.easily/app_DynamicOptDex/oat/Tdt.json.cur.prof

Filesize
2KB

MD5
8b0bac661b9bc043b97c0b19003d9b97

SHA1
6aa3902d484217a11ca7c62d00d3b0bcaaa4ee13

SHA256
f1c764f93ec61724e139365efee99f55f9afca092e17340b820ca45525c2c614

SHA512
3d3bb92531934eda5c743ab8d70aa6381487da8d92ce9787e4ef35df05e5f28cf6731f378590233193c05db9c54f6029c826170af4be9fd9789797cd4908557c

Download Submit
/data/data/com.machine.easily/app_DynamicOptDex/oat/Tdt.json.cur.prof

Filesize
2KB

MD5
edc69a9fd4d9e9cc11c88abc61b2e72f

SHA1
18f96efde0524fbb4fe94dc6056b0386a1abcd4e

SHA256
cad7bb25d561d5113524a9a4c0e219976e644fbe94fa22c810986b62539b43bb

SHA512
b221af2af355127cda55afd4fdd85af41c7520dc3a634779a41864c2c3a4832ef79afa3ba1ae2741db91d650b6c2a4687878f26c9c292b93338cb9f6af3624e4

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2262e2e0da59eb0019cde23441233893

SHA1
01a2b3eb3b63a3268fc80afcde2f2f947af6a548

SHA256
75bbf7f3e300910ebca14583ae77b30c82fdb64a136f5cf6f6b231ef6fa6b316

SHA512
b46072d850dfc015ca77e72bf7064dcd2d0a468147d5141f0b2ee0b26a601bec2ad1f80e6d50221e29a62cabd064b0ec7362c3a185356f90115fff7f854a8d19

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a4192346ac4ee2732ca987a84b400b0a

SHA1
64dfae8bfd5315ee6d36ac8043808057863eec53

SHA256
da6a4a03c5f66f766ed1ed6b964f460de856fbeb15e806a89dea1f3bdd12a264

SHA512
53172c262bff9b10318df242f3272ed29f6639032c5fc41e460249604189d2fe2c4cc596a9eff50d144f95d1bd846d69c368a51b8526be3c358724e8bd05709b

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb-wal

Filesize
229KB

MD5
4dc1df21b4b918692e7a959d1aebe758

SHA1
cf61c977860c2d0888ce5b5a18e1f86e6f490bd6

SHA256
fd93b205bf1ec65c1c57d64ee8abf99a2726972b3783736bc41f9ebc31573cd2

SHA512
ed66b592a6ff037ab938e50931a908bef897ef67f5b854eca200f45b6093a7d8c06823a01c87a02bfdf461dfa01cab47aab9ba4627b1ef7e5a32d35bceaae87d

Download Submit
/data/data/com.machine.easily/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
ee92ff18f7590b65723c7de2628fca3e

SHA1
c8cdfbedad71a1769f32eefffa732a175ced3a57

SHA256
19939949ab8f9561ad2a6dc7036acdec9b8cce33da6d2ca8d1e064698465f3b2

SHA512
23e5f3df3926bdc192a2021981993fcb5cbabf11c961e14f1edd1081469ddbcc78ee68b2f373b876697b160a275543659cec69145dbff44a39690f7faee5e7d7

Download Submit
/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json

Filesize
6.1MB

MD5
321b842e73eeb382065a6a9eee9d2462

SHA1
4530168202c720dfa562813c9fe202c240707538

SHA256
2ea38053a2a606cb8557675be9ad144a4f960e79bf4c0e4f6f394f9ba00d2590

SHA512
9f3e9e76b4aedbe85e0cb477ec2b5a37ac923477f20b92eec398acc3e434ddbde7af2fcb47fb69eb85f0cba05629e9765e1d5cac8729535a4f077a255a4ee160

Download Submit
/data/user/0/com.machine.easily/app_DynamicOptDex/Tdt.json

Filesize
6.1MB

MD5
0c1db3674754c44e368139d9563a5632

SHA1
f14d6c43da9158fbb817a7becd460897f8ad483e

SHA256
cd7e5696a7eae1f69df25d0617dc87696880ebf83a64cd1920cb4051e5e30c8a

SHA512
252d15da07d538b4cd6dcc3f91b00770e71af6762b3337800f43f9da2afc59381e626704ea3d62ba43eab0d60a99c4f6930daeae017860aeec1be76f5a52307d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads