Overview

overview

10

Static

static

6

db877682fd...00.apk

android-9-x86

10

db877682fd...00.apk

android-10-x64

10

db877682fd...00.apk

android-11-x64

10

Resubmissions

09/12/2024, 20:58

241209-zsbcqs1lc1 10

16/11/2024, 22:02

241116-1x4eraynep 10

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09/12/2024, 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db877682fd0d489d9cb9aa1083ca05aacd61d9e63675dee50c10b010e3946000.apk

  • Size

    4.8MB

  • MD5

    d3da3e52be0eb1ce46533f7e36f50e1c

  • SHA1

    fc58ac245d61664428727ab4afbad68b7b86b0e7

  • SHA256

    db877682fd0d489d9cb9aa1083ca05aacd61d9e63675dee50c10b010e3946000

  • SHA512

    0ad81172b5b3aacfb13855fa3f300f939e7480a1857337e76dcc2d68ddf8eee563d6c817f7cea42a8cf4c107fc7d6a4699969789100764549fbba54b0dccffb5

  • SSDEEP

    98304:O6PRNrPJ44RsVRdxaKgBemDx2+Po2DEN7Y06c9VreJ5L+UfVoMz0KpLpj:DRN7JDCRHabJQeo2mY29Ne/CUic

Score
10/10
nexusbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Extracted

Family

nexus

C2

http://109.206.243.54

http://109.206.243.55

Signatures

  • Nexus

    Nexus is an Android banking trojan related to the SOVA banking trojan.

    bankertrojaninfostealernexus
  • Nexus family
    nexus
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 33 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.car.debate
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4633

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    2.2MB

    MD5

    74ee6286df3aa4521e5fdd6ee2477b79

    SHA1

    bce0760b786c0c6f0bcb2b580ead622ade38aedf

    SHA256

    2577bf7ba7953d11b816c0174efb60f68d32fbc0fc484f1e83ec38e9667d78c8

    SHA512

    6a355b2e3e35af509ef190de5b103b39bb594b3987f86b25601075a23a45ccf019f1ddfcce2aeee57136ff55c025b1dc210d5c9d9ae6354638e4d306d4f18366

    Download Submit

  • /data/data/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    2.2MB

    MD5

    da56247f322aa732e5c1b79e016339ae

    SHA1

    0b31c293536e12dd284218b82e3c596dfb6f4ddb

    SHA256

    bfe9cab5cfb0353027005ad0cefbc43f757faab39435bcf3f76d8f1b19b076f0

    SHA512

    7f4b95163fdada7574948dd8e528d377bba538907fbae90db5c9df9a0a50bbbb2fb831c7b11b0c4c2361c52508bbf9ca19d075c74777120acc4a6baec3b6f7c8

    Download Submit

  • /data/data/com.car.debate/app_DynamicOptDex/oat/LAGt.json.cur.prof
    Filesize

    5KB

    MD5

    a14076cdf7f2b5830fa0d5229e1589f2

    SHA1

    ecd4f81e9bb40855c8d96c85a0a443e1fc30cba1

    SHA256

    986a4a52e0f9c05caea807e869302d14d8e4b2df541a14211ee177e4762e866f

    SHA512

    f149f92dd931fe391f76410dca013d2def74752d17886cb2736b1e2c5eeb36acec2852ed727b0d15449eded90d27b06e5edcdccdbae43e59731a528ccb4f7c20

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    ad2b7094f1bc94cdb275eb604701e10c

    SHA1

    c53e2f675d16d183f5a76bb76865ea7e00077b8e

    SHA256

    910b1b47a525e8e6a6594c846dd521f3e0debc992168f4f1ec8f1d7e8e4a16d0

    SHA512

    d093422ccd995be639263ff058fde292e216e6c118a1f3bd8f38e7b0c09f14e6b883c862eca567f5c39003a94212bc9262f893171cc1be1a9815565c7b1b7498

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    ffce14bdc6217ac459ea0df68a2191ac

    SHA1

    0c6a72aa65f2df6359184232a8ff30a44352934f

    SHA256

    5b19e008ea0a0ebd31a11875f3dd96f5fc42bd269347f0d979f77adc94dd9d64

    SHA512

    a170d46f5c103a42956422c3d8f4240b0409024519b9ded55518dec66a2ddb7689966fa857849d4f106706a13b5d4fe1ec840cd653bbd917993456fdf53dfa35

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    8c1760a0737c5e0f38089aaf02e0f019

    SHA1

    08cfc5a97caaebc55af2186687f9fae0e8cbdb54

    SHA256

    9cdf0daad4523a8629c035fc4106e837045088a6e6867c28c1c8b976988d43f8

    SHA512

    66892d11523f18ec505d6183df4117cc2d4366482bf49dbdaae5d2d09d61de57659852067a43f502f324c86d05a00ec517eb84eaa74145b456763ba25816f4a0

    Download Submit

  • /data/data/com.car.debate/no_backup/androidx.work.workdb-wal
    Filesize

    221KB

    MD5

    a943bcda7db065adf61addae3361af56

    SHA1

    31389f36aec3713afe1ae9e69bd3a4a46496c40e

    SHA256

    e3ea9ae9566fa373710f73e3b20ffa39eaae543d4560b3cd182539da3d88bd8b

    SHA512

    942a3fb468a0df69fb40dab1d94970f3a9546de43330b510c86ff648deebe82aaf306bac9e5220f54d273a1479f59a5fbd6c0e2f6c4c554144d46244e83dbf92

    Download Submit

  • /data/user/0/com.car.debate/app_DynamicOptDex/LAGt.json
    Filesize

    6.1MB

    MD5

    cc20cd55132e50678f89fd6c8b862801

    SHA1

    2e2bca371167f78001b13f73e2bbded35fac84af

    SHA256

    e0f9a272f590ad53309e8d8aefb54cfed7c6d2113ff2255528bb739b09fc5579

    SHA512

    3660bdc5a0a6e99c0de6595c1c365143f6f26a9e44e46195dce3fd570cbd65f5c558be69a7f0a60843908a607792b0c2bfb4009c818d8c50b1a65e44ba321b8e

    Download Submit