hydra | a1844a63df18babd4d92b61c784018ca660a9a11206944c3b6f5d90c4c3aeb71

Analysis

max time kernel
31369s
max time network
154s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
05-10-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1844a63df18babd4d92b61c784018ca660a9a11206944c3b6f5d90c4c3aeb71.apk
Size

3.2MB
MD5

6616c7912d21837a3ceb8aa75347cf51
SHA1

be6bd4b2254e1448e5cefe3a86ecf115764a2610
SHA256

a1844a63df18babd4d92b61c784018ca660a9a11206944c3b6f5d90c4c3aeb71
SHA512

33a1dfbab9e557c9a3c95a90e4366171e2af747fd7befcfa903aa4d1e695c56e5a15a8af42d36443e9023703134ba3678381888245836c77b5efd80c3848ca9a
SSDEEP

98304:KEwBMucIAxw7h90losH/EEWctuw4aAQJp4tMlQW:KEwBMuMKhcosHOrw4q3vQW

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

resource	yara_rule
behavioral1/memory/4143-0.dex	family_hydra1
behavioral1/memory/4143-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.theme.noodle
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.theme.noodle

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.theme.noodle/app_DynamicOptDex/oAukhu.json	4143	com.theme.noodle

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Reads information about phone network operator.

com.theme.noodle
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4143

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.theme.noodle/app_DynamicOptDex/oAukhu.json

Filesize
1.9MB

MD5
da770b43daf7fbe87a0b59a9547690e6

SHA1
a045891efcee3aedab1a1e7f06a32142e362e622

SHA256
b26f0f288914e1e92a47b6fafe6fbfa0ec6079fe24db8b7eb366360c4b68a0f8

SHA512
52e58e7fdb54a6664c99c96d59e7b8880314d4374f105ecb5ac831465f862b2be5e340d8c95513a983cf12ee699c7bdf34c5c4a4ddec50568bf7cde03b75b263

Download Submit
/data/data/com.theme.noodle/app_DynamicOptDex/oAukhu.json

Filesize
1.9MB

MD5
78beed0548a9cfcde4fffc2ee9aa1524

SHA1
627d55574d1156c550a288ed01facb48b696ac48

SHA256
8387be9432581c9303f5757d40f21aca4b1d4b7b580ba71b5be161ad1bedcb01

SHA512
541966a0f3d23f764218f2da33e8e73a351ab9c2ed314a1f18114c7270cbe3d865832c6dd9b9ad2ff4c1d78fd5c6029b8c85b8eafb892612d956f2f22015d85c

Download Submit
/data/data/com.theme.noodle/app_DynamicOptDex/oat/oAukhu.json.cur.prof

Filesize
1KB

MD5
40b36e8c6f925fc189df809e77eef2b7

SHA1
9ff82296b190e717c7338b251792b66be7e343e5

SHA256
f9f0712bd907e6d3b4622cf4c1da6c154a5106012fd23530cb8de20521a053ce

SHA512
07630ff92cc28eeff7250c69818e5917966de8d3e73f970c84c3321b795e6c95744c3cf4bd7a583d18a17334f08b5d0cd4a77aec11022a0465956a49aeae328e

Download Submit
/data/user/0/com.theme.noodle/app_DynamicOptDex/oAukhu.json

Filesize
5.0MB

MD5
e07c803f3f04ff1e023808a1190d63d6

SHA1
50cffef9b8628047d6aa957c820305f5a930271f

SHA256
13d63ddf04fd7a43ba4a4768d0d41b293aaa607e41b79ccad43127f084ff11c0

SHA512
6b105d01f74257824db5e16c603cd29cf02163bd2ff7b245a42cc60f6f2d3f177b3d2bb5a78f4b0e1671a9e9096880a746e961c479e143568989c77aaa07d334

Download Submit