Overview

overview

10

Static

static

6

db877682fd...00.apk

android-9-x86

10

db877682fd...00.apk

android-10-x64

10

db877682fd...00.apk

android-11-x64

10

Resubmissions

09/12/2024, 20:58

241209-zsbcqs1lc1 10

16/11/2024, 22:02

241116-1x4eraynep 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    16/11/2024, 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db877682fd0d489d9cb9aa1083ca05aacd61d9e63675dee50c10b010e3946000.apk

  • Size

    4.8MB

  • MD5

    d3da3e52be0eb1ce46533f7e36f50e1c

  • SHA1

    fc58ac245d61664428727ab4afbad68b7b86b0e7

  • SHA256

    db877682fd0d489d9cb9aa1083ca05aacd61d9e63675dee50c10b010e3946000

  • SHA512

    0ad81172b5b3aacfb13855fa3f300f939e7480a1857337e76dcc2d68ddf8eee563d6c817f7cea42a8cf4c107fc7d6a4699969789100764549fbba54b0dccffb5

  • SSDEEP

    98304:O6PRNrPJ44RsVRdxaKgBemDx2+Po2DEN7Y06c9VreJ5L+UfVoMz0KpLpj:DRN7JDCRHabJQeo2mY29Ne/CUic

Score
10/10
nexusbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

nexus

C2

http://109.206.243.54

http://109.206.243.55

Signatures

  • Nexus

    Nexus is an Android banking trojan related to the SOVA banking trojan.

    bankertrojaninfostealernexus
  • Nexus family
    nexus
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 12 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.car.debate
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:5161

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    2.2MB

    MD5

    74ee6286df3aa4521e5fdd6ee2477b79

    SHA1

    bce0760b786c0c6f0bcb2b580ead622ade38aedf

    SHA256

    2577bf7ba7953d11b816c0174efb60f68d32fbc0fc484f1e83ec38e9667d78c8

    SHA512

    6a355b2e3e35af509ef190de5b103b39bb594b3987f86b25601075a23a45ccf019f1ddfcce2aeee57136ff55c025b1dc210d5c9d9ae6354638e4d306d4f18366

    Download Submit

  • /data/data/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    2.2MB

    MD5

    da56247f322aa732e5c1b79e016339ae

    SHA1

    0b31c293536e12dd284218b82e3c596dfb6f4ddb

    SHA256

    bfe9cab5cfb0353027005ad0cefbc43f757faab39435bcf3f76d8f1b19b076f0

    SHA512

    7f4b95163fdada7574948dd8e528d377bba538907fbae90db5c9df9a0a50bbbb2fb831c7b11b0c4c2361c52508bbf9ca19d075c74777120acc4a6baec3b6f7c8

    Download Submit

  • /data/data/com.car.debate/app_DynamicOptDex/oat/LAGt.json.cur.prof
    Filesize

    5KB

    MD5

    7c8929689da3fa41090a4c63181a331c

    SHA1

    3ca7c2f7b4362383702d25ebe9eba58d58b1ff03

    SHA256

    63404c43cf8774b436591c35e7736b25e8208d3ebe89c892e333c157288f1444

    SHA512

    a306d66fc6c861e17c2fca9efe7e1f7ae6a5d4b75df1a7aa8401c849c924437768b003671a184d0a3e16173f2501881dd1e6687f6c35c2c21a8093a4e1f6e182

    Download Submit

  • /data/data/com.car.debate/app_DynamicOptDex/oat/LAGt.json.cur.prof
    Filesize

    6KB

    MD5

    1735561da670c17a255df7f8d88bc89c

    SHA1

    256f5bf74c0fda01356f3cb3b8136e3d4b6a2fa6

    SHA256

    d061b1cc75ba9c271e6d1a580d0913f62baa1b832072fec8ca836dfb1ab4745b

    SHA512

    7e1bd2d7ed9fcddef3bd28a771d6fd38b51fcb3f7dbd545ce5208b5307ec51b89f23cd351863422892067f19a2c07c24ffbb4f02d5577ba15c3229601fa65343

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    f0fbe7a2c7029d1c5c86ef98b69f2a96

    SHA1

    efd47d76936fd2cd691876836d8e5fe34bc3a3ed

    SHA256

    7e0c4514eb1b806a05baddbfa48faffd777a5b914726cbb1900117735592002d

    SHA512

    f76d90d181882e0bb844bb19cccc002b4ee12143608c03bcfeb116c3bb84d4fcd04ed385120d5d29921bfa0babc6fbf754b7c0354cf16c62b14a108bf0197d00

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    883a114c46f031a96f1091e09a684398

    SHA1

    86c047b9671b7f2bdb12e97e37f0af5c987ca8fe

    SHA256

    8b5b26e742c8332dbeb223b228ac76da1115923012bddf68bf431e45864923b4

    SHA512

    aced71be4a88e20c9bea02682d50915a487c6873072013f7d71b8d4e893d6141188f0acda2c96817880f16e9f314909c7229a1a000dba85cbe59aadd73b8b982

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    0b4777f61d48b4cc9012bc87eaa0cb2b

    SHA1

    54b126215362a0a0a1785c6473a104dcd11aef53

    SHA256

    a952a507bfae9dcfab7f4a25487ef31c96292a561a0f73ce5d65a7bcf1e503ef

    SHA512

    4c3ffac2789f42602299c14634a133bba01ac4e2ee827f53b9afecd00a8073cd2dbaec4a7e70cdc7525621f13817e450b6cc45578de4cb0f47194488dc60eab2

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    221KB

    MD5

    60b5de60de0e68e1f9e74ec4bc598b38

    SHA1

    82ad61a067adbeb223c3b8eed4a27497dd7d8336

    SHA256

    bc7155ac7abd2723a184a472ac9ce86230924b2f1ecba07f92ec83e7c16f998f

    SHA512

    1d4e9ae9e722f6aae876df66414165e7408bb19757580966f4c270c2f54ce18b94e483aaf29aa0ac833e7b4de25a3b8750d99c95212fb63c2fea42c053df592a

    Download Submit

  • /data/user/0/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    6.1MB

    MD5

    cc20cd55132e50678f89fd6c8b862801

    SHA1

    2e2bca371167f78001b13f73e2bbded35fac84af

    SHA256

    e0f9a272f590ad53309e8d8aefb54cfed7c6d2113ff2255528bb739b09fc5579

    SHA512

    3660bdc5a0a6e99c0de6595c1c365143f6f26a9e44e46195dce3fd570cbd65f5c558be69a7f0a60843908a607792b0c2bfb4009c818d8c50b1a65e44ba321b8e

    Download Submit