Analysis
-
max time kernel
78548s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20220823-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system -
submitted
21-03-2023 14:56
Static task
static1
Behavioral task
behavioral1
Sample
E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
Resource
android-x64-20220823-en
Behavioral task
behavioral3
Sample
E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
Resource
android-x64-arm64-20220823-en
General
-
Target
E74C08FD6AD250FA63E028CE7801ECA99A460562107CC40727B0FBCA80182196.apk
-
Size
3.4MB
-
MD5
b61470b9b40cc8a08b3244ae70a187f2
-
SHA1
fb5458ab4445ca6fbc77a2197585e4f8a5af0e32
-
SHA256
e74c08fd6ad250fa63e028ce7801eca99a460562107cc40727b0fbca80182196
-
SHA512
678b66b4f17f8371a876579ad7e5741c2f0b673f668463a9b714d773231493fb39aaf7dd48eacf848e6483813fc557787dfa350e801605f05662e03a8da6d9f7
-
SSDEEP
98304:2ejRZZYQi4+v4UakNXRoZq8mrw/JhjH4Ta:XnizLakoX3JyG
Malware Config
Extracted
hydra
http://saygosesgoforesosne.net
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json family_hydra -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.flee.raildescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.flee.rail Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.flee.rail -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.flee.railioc pid process /data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.json 4534 com.flee.rail -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.flee.raildescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.flee.rail -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 67 ip-api.com -
Reads information about phone network operator.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.jsonFilesize
1.3MB
MD5032e1a1b4b49c11d3eb7c3104a05f55d
SHA1fd43fa9f1a8e00e63f147a9337691114b31334c4
SHA256ec43b47a030fd2865e4a8f2524ee28c994b0e7095ce0274c9c79b39ff1b876ad
SHA512f9eedd13eb7578eaa68e6aee4ee45c0d49163dadcf371a1279e1bce1562cb02383a10ba3e5dd6dc1257aeb86d1a42aff0f8ab01da652f4433798ec637093e1ee
-
/data/user/0/com.flee.rail/app_DynamicOptDex/XfOkior.jsonFilesize
3.6MB
MD57d66063b17e478007eaf7d8e13305e05
SHA1bb0360fe73fa8aa8be409114e7d84fbfb09e6d99
SHA256a7df9f982dbad9adce236859a1ae6c79206b27ebbd8e8730f09e9461dd595757
SHA51211adefd47732d652f535aa8f58d3a2cb13586b56dc21d4ff2c686d93a6d7bf9344c8c7b89535a3eb78506c2f86676c1f7cf79b6f8083caa410b383384e43a3ae
-
/data/user/0/com.flee.rail/app_DynamicOptDex/oat/XfOkior.json.cur.profMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/com.flee.rail/shared_prefs/pref_name_setting.xmlFilesize
131B
MD58c9aa9899e23c0e2a7b612be315a5ccd
SHA140ea686a7085abe22fbc3664358d85c35d2b9ca6
SHA256ac9992024a33e42eb08b667fc83ffab3cd21c656647c7374d8286aac930316a1
SHA512b8f9fbb8cd68e86e3724d9a773578d07710c0baa89f179e211fb27067b98f5bc964128fcaa00734e176bd5187277c3ade04c5fc00d633bbed7eb52a6a9def970