Analysis
-
max time kernel
1102711s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20220823-en -
resource tags
-
submitted
15-09-2022 15:13
General
-
Target
18c5bf8ee185102b2cffb7e19ea9480113e94544f78c4d3eef628f635c2b77b4.apk
-
Size
1.0MB
-
MD5
7b5ca7af7560e1e00a53e3b2da398e8d
-
SHA1
d553b5b5fdb8e5b9c8bf291039820b4ff30ace87
-
SHA256
18c5bf8ee185102b2cffb7e19ea9480113e94544f78c4d3eef628f635c2b77b4
-
SHA512
1c416cc854000256adb6d2e34b401ff53d919aa503e40b9153186669521840efb67f9affe698911c6acb487ed918dc01e4aebbf32eb3e81b1bb5dd4e29237295
-
SSDEEP
24576:a/xMjXBYdbtCk1w72Ctm/8Hf95fVkbLXZVs5A0w45:aZbnK72CcMfb9ULiA0w45
Malware Config
Extracted
hydra
http://laurenwarren1566.top
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Makes use of the framework's Accessibility service. 2 IoCs
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads information about phone network operator.
Processes
-
com.pretty.flock1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pretty.flock/app_DynamicOptDex/NFxRTXU.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.pretty.flock/app_DynamicOptDex/oat/x86/NFxRTXU.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5013c636eab0b61fe2cc47ff1ef8c166b
SHA143c1e802c1498cd7bb498bd158a07d93dc13ae81
SHA256d1413e17fcd2bc60e0273d1f95226e7d0d7c38d89aeffab041d5d7f9ed6f24d0
SHA512e81a2d0e5bc965c1585e8183432cdc3babbb4b369028cecb65f0a0025b5e5a8b5c265ab86f9bdc810121b03206dc26dfd4741111656a9992aa3e500c76dcdb6b
-
Filesize
540KB
MD567481bbac1ac43b23efcccc36bc55953
SHA136d604d8e94d360c33caf0d2e62515303eca75af
SHA2564fe8cfda53af8fa93f7dcab4c82957aa368b2d8b471313f72e1f40581c6223ae
SHA512107a7dc55ee653b8d40aa1f8f6d87ae978e28598b9eca60356cd007aa3c56270edeb49dda3f9c4ad133fa4a361805cbbfc284b37743bf071459e62f90accabb9
-
Filesize
540KB
MD5f8fbd39fae1f279d2ee95d4b9b429df8
SHA1e8295b4144b3eeb0b217f42754552fa52f73f9d6
SHA2568cd48eebcb786d457864536178e41c4a97079606d1871d3c464eb741315fa01e
SHA51293756886ce2ee37f762a8227bb21fc697441a969e1ea7eed5961d49a9e0bfaa90e9047572bc50ef2dabfd9d883595748c8ea529cdef38965e5d93aa3c085c935
-
Filesize
131B
MD5280c9a0c28637cc99345d92564440dee
SHA1a0ca74739e33085f11ef8fe4557395324c41f8d2
SHA256ebefdb9cb356667cf4acfc984bbf34c81a2f6abee3ec34297f172cbbfff2f88d
SHA5122c63fa6a51ffb453cf0621262db9d760590351757842bd7a62184b16f909e122a39be1200e441514e029e5f3ad0294e82ba8cb9fe3a0fe46d0c108afbf439b04