hydra | ff3464f51f6e7fbdf1b236affdb5cb5ebcf84d56d1923e17e6bf267c6a6861a7

Analysis

max time kernel
377126s
max time network
168s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
09-10-2023 22:02

Target

ff3464f51f6e7fbdf1b236affdb5cb5ebcf84d56d1923e17e6bf267c6a6861a7.apk
Size

3.1MB
MD5

0d465ced34970777e6d5ba7971750943
SHA1

b5fecbffbc85fac7dbe8ff99ed579ecd932aa08c
SHA256

ff3464f51f6e7fbdf1b236affdb5cb5ebcf84d56d1923e17e6bf267c6a6861a7
SHA512

830c3767f2fed21eec5ea942b5865f2bcf25029893dcfd18db363ec6705b707b10239eeda8d06ee8d404ab0cf2ae7e625ab7c85d9885eb4dbe08214e8cb111e1
SSDEEP

98304:7pQEEGMW729XiWlV8VcqMmEf6pFZDu8a5Oe9I9vh/VCjnw:VQEEGM38WlVQcEEipFQp5O8INPCjnw

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json	family_hydra1
/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.robot.lobster

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.robot.lobster
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.robot.lobster

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.robot.lobster

ioc pid process

/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json 4543 com.robot.lobster
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.robot.lobster

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.robot.lobster
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json	4543	com.robot.lobster

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.robot.lobster

flow	ioc
59	ip-api.com

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json

Filesize
1.9MB

MD5
c3ab36a3716011ea70305986466f1449

SHA1
27e20116a8a5e7f28204ee61558ae12e065e820b

SHA256
41db83466dc9e718b9421b1bb36f369af2afad28e06b87e1639a037d2e7ef93d

SHA512
948e1a58e5254f6a37ff17eb4c32f5b260da7a1b7e4f41f3d109d9c4667ac1cc2e629d421e025e5eff1e8a727b0f8248df4da426f242f3154982b811eeccae43

Download Submit
/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json

Filesize
1.9MB

MD5
c91b72ed4785f89867c98836af7d9388

SHA1
1512eb0e67897acb84d37cc78ffc7a10389d7ff4

SHA256
cf419444e618605ef5bc1bff6d8ae947d6b5122e6bc57dcec84ec77cd20d3a32

SHA512
02ccfd885c9da3e4997a9fe8a6020bd35faa5a3d673db3e0d0b45e9cb15c1a871b9dbb443400a30dfc0f32d836e274ee629b9ccd7b887c23ce64ffb1aa5971b5

Download Submit
/data/user/0/com.robot.lobster/app_DynamicOptDex/sUIeeTQ.json

Filesize
5.0MB

MD5
df5a5695781aff40de1bd2c09ac2b93b

SHA1
3868eefbae2b0f355c4ac8c5888aa3bf63bb7a57

SHA256
0bcacec9e9e663aacfdbc57c9d542ed9d7598a754b6ad8a4e476f1684c0c0a2b

SHA512
cdb44794d136ba7b340e4adf78d1fff55fdf47772212ee9aa7d2f916929908aaa3f4b487a3af88ebceee2ce29690a46c5aec46f34a1ee00521c18a209b4dd2bd

Download Submit