Analysis
-
max time kernel
74953s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20220823-en -
resource tags
-
submitted
21-03-2023 14:56
General
-
Target
E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
-
Size
3.4MB
-
MD5
b61470b9b40cc8a08b3244ae70a187f2
-
SHA1
fb5458ab4445ca6fbc77a2197585e4f8a5af0e32
-
SHA256
e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196
-
SHA512
678b66b4f17f8371a876579ad7e5741c2f0b673f668463a9b714d773231493fb39aaf7dd48eacf848e6483813fc557787dfa350e801605f05662e03a8da6d9f7
-
SSDEEP
98304:2ejRZZYQi4+v4UakNXRoZq8mrw/JhjH4Ta:XnizLakoX3JyG
Malware Config
Extracted
hydra
http://saygosesgoforesosne.net
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Makes use of the framework's Accessibility service. 2 IoCs
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads information about phone network operator.
Processes
-
com.flee.rail1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.flee.rail/app_DynamicOptDex/oat/x86/XfOkior.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5032e1a1b4b49c11d3eb7c3104a05f55d
SHA1fd43fa9f1a8e00e63f147a9337691114b31334c4
SHA256ec43b47a030fd2865e4a8f2524ee28c994b0e7095ce0274c9c79b39ff1b876ad
SHA512f9eedd13eb7578eaa68e6aee4ee45c0d49163dadcf371a1279e1bce1562cb02383a10ba3e5dd6dc1257aeb86d1a42aff0f8ab01da652f4433798ec637093e1ee
-
Filesize
3.6MB
MD51ac9b8b312fb9e32ef83d0e75993a85f
SHA10f8efe3668c3ffef97492f705047f03028888a10
SHA25646f3cba22930221ff53e23f3988a24eedee3e20fefbf1966f2c2a4b97124aad9
SHA512c990304ffa84e41800106e3114ffe7f9baf5c3d27676d7e442a0bac7a7bcdbd027e5361983b314539fede8cf1452aae38aacec1d9047f52d70fae484e5f96ad3
-
Filesize
3.6MB
MD57d66063b17e478007eaf7d8e13305e05
SHA1bb0360fe73fa8aa8be409114e7d84fbfb09e6d99
SHA256a7df9f982dbad9adce236859a1ae6c79206b27ebbd8e8730f09e9461dd595757
SHA51211adefd47732d652f535aa8f58d3a2cb13586b56dc21d4ff2c686d93a6d7bf9344c8c7b89535a3eb78506c2f86676c1f7cf79b6f8083caa410b383384e43a3ae
-
Filesize
131B
MD56086ea8ca5c01d5f51ba153a7a76d400
SHA151bd08c54ecc0312ac475ea3a4a071a9176f1614
SHA2568081021356f68abee5bbc0c67a6ff9574a610a462c234dd6b88c3f44ef4c22a8
SHA512b1320495bbea212a81ef10e6cab3c49ea1e88622c028eff4578b6d08d0005effcd5801fb64328e1d180dabc3e01adc7e7d08adaf3fd91ae62a75e18e27734bbe