Analysis

  • max time kernel
    965278s
  • max time network
    123s
  • platform
    android_x64
  • resource
    android-x64-arm64
  • submitted
    12/08/2021, 08:42 UTC

General

  • Target

    38157_Video_Oynatıcı.apk

  • Size

    3.0MB

  • MD5

    6ebeb85ffe32db161606a7c53722b890

  • SHA1

    dc93b4458efebbc4a15a330840f0c92359e4de95

  • SHA256

    5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9

  • SHA512

    6c89168da5662aef9e5753f802e16791668c1820971304b349f5560e829dfec272f13eb3726a4d0c0f339579b4ca006f1d4acc904513c71da69a0a4ecf7c2c69

Malware Config

Extracted

Family

hydra

C2

http://miguelgonzales123.xyz

Signatures

  • Hydra

    Android banker and info stealer.

  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Uses reflection 3 IoCs

Processes

  • com.bllgeqgp.qbyoikh
    1⤵
    • Loads dropped Dex/Jar
    • Uses reflection
    PID:4173

Network

  • flag-unknown
    GET
    http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0
    Remote address:
    172.217.168.198:80
    Request
    GET /ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0 HTTP/1.1
    User-Agent: GoogleTagManager/4.00 (Linux; U; Android 11; en-us; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
    Host: ad.doubleclick.net
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 302 Found
    P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Timing-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    Date: Thu, 12 Aug 2021 08:42:16 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Location: https://adservice.google.com/ddm/fls/z/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=*;dc_lat=0
    Content-Type: text/html; charset=ISO-8859-1
    X-Content-Type-Options: nosniff
    Server: cafe
    Content-Length: 0
    X-XSS-Protection: 0
  • 1.1.1.1:853
    tls
    804 B
    3.4kB
    11
    8
  • 1.1.1.1:853
    tls
    7.1kB
    17.7kB
    63
    38
  • 172.217.168.198:80
    http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0
    http
    650 B
    871 B
    6
    4

    HTTP Request

    GET http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

    HTTP Response

    302
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.3kB
    5.7kB
    8
    6
  • 185.199.109.133:443
    gist.githubusercontent.com
    tls
    1.4kB
    5.6kB
    8
    7
  • 1.1.1.1:853
    tls
    882 B
    4.0kB
    11
    11
  • 1.1.1.1:853
    tls
    1.2kB
    1.1kB
    10
    10
  • 224.0.0.251:5353
    8.8kB
    46
  • 142.250.178.4:443
    https
    3.0kB
    6.9kB
    5
    5
  • 172.217.17.78:443
    https
    6.3kB
    13.1kB
    11
    14

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.