hydra | 93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b

Analysis

max time kernel
1657500s
max time network
172s
platform
android_x64
resource
android-x64-arm64-20220621-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220621-enlocale:en-usos:android-11-x64system
submitted
03-08-2022 08:16

Target

latte.apk
Size

3.2MB
MD5

2766fe2cc89890935127ae864f88a309
SHA1

f7dc91ed1d4c85e72896b22acb9f192a36ca9ae3
SHA256

93c5e98c06963c8a320f5876148ad45fb6cce1a40a7aaee195cfa5027e19426b
SHA512

a9b59137d044d134417f63d38c361b9f5961f10915794a70c65e95a06bd6bdb5299325915b32be398808aabfd7aad5faea5a6b6617261b20a54f0fabb54f3ecb

Score

10^/10

Hydra payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json	family_hydra

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.alley.work

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alley.work
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alley.work

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.alley.work

ioc pid process

/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json 4751 com.alley.work
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

ioc	pid	process
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json	4751	com.alley.work

com.alley.work
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4751

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json

Filesize
1.9MB

MD5
5ecf01d33978fedd7b42ab821cf9ff6d

SHA1
b30d1e03d5b95d6b306edffd43193278040c15af

SHA256
0734ebf7a70547aadf5095877840feac1af670b74ed134acfdaadc566e9618f4

SHA512
41c74ebe30df0e32d9eda0a3b8a9ba735144a346a78b483ef0964a6fe25b6babb0589aced3a75af0ef1555cb9248afa310774b776db91e9daf7e4e90052719cc

Download Submit
/data/user/0/com.alley.work/app_DynamicOptDex/ensC.json

Filesize
5.0MB

MD5
89ea70b3fa129d5d03833444578a4c3f

SHA1
3499fb858c1f4de0cc8a5cb36d843d9f2f6d1328

SHA256
f49ea523bc202e6fd2a58a8034579684108cac3702bc1d989fbd068dab54955d

SHA512
fa4b40d7dd535e44267ca576260be9950e0371196d2b443d1bf36a50265a925c7c9b8b62db7337e9c5264abaacecf36db9390a3976ab9092b1c1368310f57368

Download Submit
/data/user/0/com.alley.work/app_DynamicOptDex/oat/ensC.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit