Analysis

  • max time kernel
    2043857s
  • max time network
    48s
  • platform
    android_x64
  • resource
    android-x64-arm64
  • submitted
    13-10-2021 13:23

General

  • Target

    76032_Video_Oynatıcı.apk

  • Size

    8.4MB

  • MD5

    4d1d88ed96379c4b6b72b7f3f1727a97

  • SHA1

    691e2571c920f2dd184ff96c4ca05e89e2da2efc

  • SHA256

    ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82

  • SHA512

    8c7a25f81b67d42c9e9c7eda696a332cd136d01a5455af721b5c038117045f5d482aebfc4fd5a9ecdde408a64c9835cac72c14b2400e7a487d575650f6210b4b

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

Processes

  • com.yfaehapg.yctcscs
    1⤵
    • Loads dropped Dex/Jar
    PID:4910

Network

  • flag-nl
    GET
    http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu008;ord=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0
    Remote address:
    142.250.179.198:80
    Request
    GET /ddm/activity/src=2542116;type=ytmusic;cat=youtu008;ord=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0 HTTP/1.1
    User-Agent: GoogleTagManager/4.00 (Linux; U; Android 11; en-us; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
    Host: ad.doubleclick.net
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 302 Found
    P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Timing-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    Date: Wed, 13 Oct 2021 13:23:18 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Location: https://adservice.google.com/ddm/fls/z/src=2542116;type=ytmusic;cat=youtu008;ord=5946167711072;dc_muid=*;dc_lat=0
    Content-Type: text/html; charset=ISO-8859-1
    X-Content-Type-Options: nosniff
    Server: cafe
    Content-Length: 0
    X-XSS-Protection: 0
  • flag-nl
    GET
    http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=1142167518002;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0
    Remote address:
    142.250.179.198:80
    Request
    GET /ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=1142167518002;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0 HTTP/1.1
    User-Agent: GoogleTagManager/4.00 (Linux; U; Android 11; en-us; sdk_gphone_x86_64_arm64 Build/RSR1.201211.001.A1)
    Host: ad.doubleclick.net
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 302 Found
    P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
    Timing-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    Date: Wed, 13 Oct 2021 13:23:18 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Location: https://adservice.google.com/ddm/fls/z/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=1142167518002;dc_muid=*;dc_lat=0
    Content-Type: text/html; charset=ISO-8859-1
    X-Content-Type-Options: nosniff
    Server: cafe
    Content-Length: 0
    X-XSS-Protection: 0
  • 1.1.1.1:853
    tls
    864 B
    3.5kB
    12
    9
  • 1.1.1.1:853
    tls
    4.9kB
    13.1kB
    44
    27
  • 142.250.179.198:80
    http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=1142167518002;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0
    http
    1.1kB
    1.6kB
    8
    6

    HTTP Request

    GET http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu008;ord=5946167711072;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

    HTTP Response

    302

    HTTP Request

    GET http://ad.doubleclick.net/ddm/activity/src=2542116;type=ytmusic;cat=youtu00c;ord=1;num=1142167518002;dc_muid=FE3F14EF316A00B107DFE15EF2807C5F;dc_lat=0

    HTTP Response

    302
  • 142.250.179.136:443
    ssl.google-analytics.com
    tls
    1.2kB
    5.6kB
    7
    5
  • 1.1.1.1:853
    tls
    727 B
    3.8kB
    8
    7
  • 224.0.0.251:5353
    8.1kB
    27
  • 142.250.179.132:443
    https
    3.1kB
    8.3kB
    6
    6
  • 172.217.168.202:443
    https
    6.2kB
    9.0kB
    16
    17
  • 142.250.179.206:443
    https
    4.8kB
    11.5kB
    9
    11
  • 172.217.168.202:443
    https
    6.4kB
    9.3kB
    14
    15

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.