hydra | f84e5ccc0c78f97e27d486f22c28f7f3c8f48f7455f51ce4c89940297057fd26 | Triage

Analysis

max time kernel
3633278s
max time network
126s
platform
android_x86
resource
android-x86-arm
submitted
08/02/2022, 08:57

Sharing

Report Analysis Logs

General

Target

bawag.apk
Size

7.1MB
MD5

fe213493a9e0ea129cb1fc2477e6fd92
SHA1

4952a1729ad0801823e3c71280c9f1d3429d2b17
SHA256

f84e5ccc0c78f97e27d486f22c28f7f3c8f48f7455f51ce4c89940297057fd26
SHA512

a950b627ade1410a313fe3cfd4fd6d8d0366cdca93597182a11055083dbe4070f13363c543abfdfb1f27935f8c2720c7abd5d74881b431b92a80064a2663fbed

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.msvmjhta.mekecjf/yggwfgyoyw/yajoTuhUujdguGy/base.apk.aUyG7kf1.k8y	5098	/system/bin/dex2oat
/data/user/0/com.msvmjhta.mekecjf/yggwfgyoyw/yajoTuhUujdguGy/base.apk.aUyG7kf1.k8y	4976	com.msvmjhta.mekecjf

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ip-api.com

Reads information about phone network operator.

com.msvmjhta.mekecjf
1⤵
- Loads dropped Dex/Jar
PID:4976
- com.msvmjhta.mekecjf
  2⤵
  PID:5098
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:5098
- com.msvmjhta.mekecjf
  2⤵
  PID:5296
- toolbox
  2⤵
  PID:5296
- com.msvmjhta.mekecjf
  2⤵
  PID:5396
- /system/bin/sh
  2⤵
  PID:5396
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5396
- com.msvmjhta.mekecjf
  2⤵
  PID:5462
- /system/bin/sh
  2⤵
  PID:5462
- /system/bin/ndk_translation_program_runner_binfmt_misc
  2⤵
  PID:5462
- - /system/bin/ndk_translation_program_runner_binfmt_misc
    3⤵
    PID:5490

/system/bin/ndk_translation_program_runner_binfmt_misc
1⤵
PID:5502

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads