hydra | a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656

Analysis

max time kernel
4067057s
max time network
163s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
02-10-2023 22:00

Target

a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656.apk
Size

3.4MB
MD5

b532c2f074b1b02bb3dd32dfcdb213cc
SHA1

6e3ab01f4b61acb298d222b39550a3e13d94e47f
SHA256

a8528d464310f8269d0940a490b05576cb0cab77efe4e83ee45e9894d1f10656
SHA512

aeb1603a37fb2e05b1a2fd713982f49ded2a4f9ca6d49aded099c58f73f6413cb226211b91ff894fbb42833c92fa065184b42a0c8165b1f8adade168e52a3825
SSDEEP

98304:xnyhun2hLmRDhLZmz7CsLhPLA+Xs2ou6V2j8:Fn2BSZcrL5LD82bQ

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json	family_hydra1
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.slow.what

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.slow.what
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.slow.what

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.slow.what

ioc pid process

/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json 5033 com.slow.what
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json	5033	com.slow.what

flow	ioc
15	ip-api.com

com.slow.what
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5033

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

/data/data/com.slow.what/app_DynamicOptDex/ZBsbJ.json
Filesize
1.9MB

MD5
7d7b807b469bcdd03444eea742b845b6

SHA1
4c552de814fc255b809e63c55a6a569c5db29874

SHA256
9d395af2917c557e038faaa5f0c824e649cbdba2b1d712d137348d40e61d7f67

SHA512
e4f7f26da763b4e2e5b9bf181afca262ce1884852652decbbfb6c8c87aca08c902afea3f2341a8617fbc34df0b3a8891367a61e36dcfe47fe782e3bb56bed76a

Download Submit
/data/data/com.slow.what/app_DynamicOptDex/ZBsbJ.json
Filesize
1.9MB

MD5
ea0212cf5bd0b1688a687daf4f0a55aa

SHA1
19d07f1ea637b1fd38f26ebfa9ddc3de651c580a

SHA256
45a3903e21ef933e1f559211c330f2736cbb385d4d0864476f731deb8f1f7f05

SHA512
0c5462f288350d28ce50387c401f2cf4d4050ed4b10876153a131c608e3f70c892c6d2b6cb1e59838f492f66d5c0650cabb180797e2e3cf58e1c7110b7bf424c

Download Submit
/data/user/0/com.slow.what/app_DynamicOptDex/ZBsbJ.json
Filesize
5.0MB

MD5
089a53915168ce1f768c275ec5770b09

SHA1
1618578dbf0e24cd7443553465883bbd0852da6c

SHA256
d27a4c00f3f6ce345b2dd01b14df4d198b5dc4430bf6619d852888212d21e389

SHA512
8b350be4fd6c347610358b9213f8c394f6cbb8491cad52375f7e701f9aa139298077512dc500e0177a1c6752b51ae5c776f356fbf6f15aeb4c9c64b669062198

Download Submit