hydra | 60df7c2041df50055a5c68749e34f3780f6962d4ed1a6944b1b67ecee913f25d

Analysis

max time kernel
4270882s
max time network
308s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
22-10-2022 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574897127da229e7a7162b39bd20ba4becb89fc6fdfcf303a20deb1f456aead6.apk
Size

3.3MB
MD5

a121f64c01e31eaf2c4f896c9d596182
SHA1

2ac7b5d2882caef3a27b263e54d2acc2c888cae6
SHA256

574897127da229e7a7162b39bd20ba4becb89fc6fdfcf303a20deb1f456aead6
SHA512

2dd00b4b454f10b00729c45f3d1d3b7024f58b6ada7d89236a62ca620e4e874b2c6cd71027ffb5a9a0b1f88d5b20403108fd97537a4e38a4102d396628ff9ac9
SSDEEP

98304:GYNqFXbZBArOViBsKgPErzLUV9nS3AA6YyWPTYghI8i/:Gy0DAKViBePE3qnmkYKghI8I

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://patrikvillalobos43.top

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral3/memory/4150-0.dex	family_hydra
behavioral3/memory/4091-0.dex	family_hydra

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.develop.oak
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.develop.oak
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.develop.oak

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json	4150	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.develop.oak/app_DynamicOptDex/oat/x86/cN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json	4091	com.develop.oak

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ip-api.com

Reads information about phone network operator.

com.develop.oak
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4091
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.develop.oak/app_DynamicOptDex/oat/x86/cN.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4150

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json

Filesize
1.3MB

MD5
97d4b64a466781c4801ad368a3fe6835

SHA1
7ed66a278604ce4c351fc34d093a3c4a18fcbd18

SHA256
1aa5530a2168346d179c6155275281c9f9c4161823e9f6bfdc58a3eed78a0ddf

SHA512
376fc37722d74c642c0d39f04d13ade2254b5d4594269cb41d3f7b2888abd2b2e8181057064fad39f8629558731778e6f564679b75caa2d6a0279f2c934d3d96

Download Submit
/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json

Filesize
3.6MB

MD5
fd421c8a0c73be11fd35f5e92610f132

SHA1
06a8dbfb2cba0729aa23d4fa246164e7d3fbb08b

SHA256
d68fad0cd2fe1b0553f3631c94a0298962e453007e0982a201caf977a99d54f6

SHA512
75dec9f04a485b498e58f6284d52f133fc4d455b60772ce145744ecacc0a5adcaa579e833d27288b62229c69b87bf7dda520cdad5d982b16eeeca51c9aa3f807

Download Submit
/data/user/0/com.develop.oak/app_DynamicOptDex/cN.json

Filesize
3.6MB

MD5
d899dd16c2902841de08147f0ca25801

SHA1
28aa6dc8196050c8f5a07ace3b60e2fe9bd2d838

SHA256
470da53b16f9f845d4c5883ea285a6d590212c7c0df586abe275f8913a096384

SHA512
b0979c2eb3fcb3e98c5c8a29c4f7b00cd696f2e69c24ac2c060422861f972bf8174ac69f0ae08cf060116b591d573c983242056d9c1e8d63c93fb0c588f202cb

Download Submit
/data/user/0/com.develop.oak/app_apk/payload.apk

Filesize
974KB

MD5
3baeaa766ea7f31a9147208efd957c75

SHA1
c701de3d0e55425394ccbf8e0967639e86f3c54e

SHA256
75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

SHA512
9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

Download Submit
/data/user/0/com.develop.oak/shared_prefs/pref_name_setting.xml

Filesize
131B

MD5
28bf8c7b13f4e68f1a04daedbfa29fed

SHA1
ae1d0e895a0c627152de7a102e7ab77cd44ea507

SHA256
e10a4019c8c0b8e22de0a460466d3b147e3be5b5dc71edbd8e41b4435f1f8f7d

SHA512
5cb20488e66d1829aa4b4d0efe6f3f5aa12b8b7630e54e4de377535eab4e770f07c8fc7920b305ca3512994058634cd1b38df218ed60aa58be7a91f5699e574f

Download Submit