hydra | 93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b

Analysis

max time kernel
1657496s
max time network
145s
platform
android_x86
resource
android-x86-arm-20220621-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220621-enlocale:en-usos:android-9-x86system
submitted
03-08-2022 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

latte.apk
Size

3.2MB
MD5

2766fe2cc89890935127ae864f88a309
SHA1

f7dc91ed1d4c85e72896b22acb9f192a36ca9ae3
SHA256

93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b
SHA512

a9b59137d044d134417f63d38c361b9f5961f10915794a70c65e95a06bd6bdb5299325915b32be398808aabfd7aad5faea5a6b6617261b20a54f0fabb54f3ecb

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral1/memory/4461-0.dex	family_hydra
behavioral1/memory/4104-0.dex	family_hydra

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alley.work
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alley.work

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json	4461	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.alley.work/app_DynamicOptDex/oat/x86/ensC.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json	4104	com.alley.work

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Reads information about phone network operator.

com.alley.work
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4104
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.alley.work/app_DynamicOptDex/oat/x86/ensC.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4461

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json

Filesize
1.9MB

MD5
5ecf01d33978fedd7b42ab821cf9ff6d

SHA1
b30d1e03d5b95d6b306edffd43193278040c15af

SHA256
0734ebf7a70547aadf5095877840feac1af670b74ed134acfdaadc566e9618f4

SHA512
41c74ebe30df0e32d9eda0a3b8a9ba735144a346a78b483ef0964a6fe25b6babb0589aced3a75af0ef1555cb9248afa310774b776db91e9daf7e4e90052719cc

Download Submit
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json

Filesize
5.0MB

MD5
3e61ae0bf61c3b3cb60ffaa3f8f94d91

SHA1
4ed87930beb32ea8e47e435b61332ff4866a65c4

SHA256
131219a0537c9bec6a762956e4ec6ff06144b368d6a3d699aa41c4261ade0e59

SHA512
0e56902679347a7870dffbdd4d7e89249b6d79ab0c3cb15bc67d42c52f5c89e9d41cc5c1c137eccf798723c0b2de8e7db32b691f06461fdca58b51b7775d15f0

Download Submit
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json

Filesize
5.0MB

MD5
89ea70b3fa129d5d03833444578a4c3f

SHA1
3499fb858c1f4de0cc8a5cb36d843d9f2f6d1328

SHA256
f49ea523bc202e6fd2a58a8034579684108cac3702bc1d989fbd068dab54955d

SHA512
fa4b40d7dd535e44267ca576260be9950e0371196d2b443d1bf36a50265a925c7c9b8b62db7337e9c5264abaacecf36db9390a3976ab9092b1c1368310f57368

Download Submit