hydra | a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66

Analysis

max time kernel
519598s
max time network
132s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
11-10-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66.apk
Size

2.1MB
MD5

9c5ff70c77af1a4e0d85d9f1ad4413fb
SHA1

a63125f958524cf3a5bd4715074dd87b61b0c9dc
SHA256

a8d120589c953cfb08c0b5d20482e0c21e5afc30b9b3635144de3fb019c19c66
SHA512

ec6b6057a96f002ab6bd2d65caac27ad73e10b191b6d4ace29043770a2df61108685f08e5618458bd50c3387658cbe6d69adb2afffde53acf006ea82176a31d1
SSDEEP

49152:4bcOkWKBs6BJPZwxitfcbE1Nyvk4wW50lbNmQqM8DWi1B4O:4bc1u6XPlN18+N9nuD

Score

10^/10

hydra banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

hydra

http://ikincikahromesdod.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

Processes:

resource	yara_rule
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra1
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra2
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra1
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	family_hydra2

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.payment.whale

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.payment.whale
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.payment.whale
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.payment.whale

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.payment.whale

pid process

4137 com.payment.whale

pid	process
4137	com.payment.whale

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.payment.whale/app_DynamicOptDex/oat/x86/anyOSUp.odex --compiler-filter=quicken --class-loader-context=&com.payment.whale

ioc	pid	process
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	4202	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.payment.whale/app_DynamicOptDex/oat/x86/anyOSUp.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json	4137	com.payment.whale

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.payment.whale

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.payment.whale
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.payment.whale

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.payment.whale

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.payment.whale

flow	ioc
13	ip-api.com

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.payment.whale

com.payment.whale
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4137
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.payment.whale/app_DynamicOptDex/oat/x86/anyOSUp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4202

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.payment.whale/app_DynamicOptDex/anyOSUp.json

Filesize
1.3MB

MD5
c7c1db6983e11cf4d40c7ead5dd2edf7

SHA1
dbd1168f748b624629990c0121a0f56b2fcf5c36

SHA256
6e5d9094e58f675dcb474a4b5db19db8e6f55b8b74c5a0eadcb839839c9f3ac1

SHA512
75b34d9da722897bef1108553bedae2bc60f81e653e5bb306f060ea32a05cf8c2dc54bce444ef4b9e373fd67932d6a5f61312d853bf70d10fff044556e367d3a

Download Submit
/data/data/com.payment.whale/app_DynamicOptDex/anyOSUp.json

Filesize
1.3MB

MD5
1a6ec1793372ff4f292482d59f699650

SHA1
04fc6bb65db8bf55751172dfda47c27765ae2f90

SHA256
b2e9333f4549c67a68ca20593d4396a574afa3ac7aecbba943af57e48def0887

SHA512
8c273c92d67d7a8d53a7ca313f139f9fe2d7b39b8b9315da62f30ee31dde86447a7eb38c6a3c9a09f17574cca9b70ba9e20c2d2ae27a03c44b31bae3a99fb8f7

Download Submit
/data/data/com.payment.whale/app_DynamicOptDex/oat/anyOSUp.json.cur.prof

Filesize
1KB

MD5
b6fe0e4f648e95c8732170f170087421

SHA1
99378553b8d1f25d997bdd0eb21d94d6b63afea5

SHA256
bf6beae93bd7b32db56ee04d7b3f183e3a3ee62ff772a90a3410b0c23013719d

SHA512
484fe0aea4fa31c70a61f66a39571dbb8cbd4e8821598efc89b2b4b0bf92331af570c8ed23eac5002bdccfeabb90e35dbfa30f7aa762472644d1e3864ca12a99

Download Submit
/data/data/com.payment.whale/app_DynamicOptDex/oat/anyOSUp.json.cur.prof

Filesize
1KB

MD5
dbe9c44ab82fde83338b238d98a67e6e

SHA1
0af5a86b719d2b68f19e3aad942fdfe074ed42b7

SHA256
d3e600233f86fb35fea98dbbedb24e9dce3da879c89a222e70d7460d9ee8f41f

SHA512
eb4ed131eed4f4460f42f201be05794209554f4781295d00f515e75e2affa11ea1ca132be35142007c72a7cdeb084a45abb1c67bc061b067922038296104c5f2

Download Submit
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json

Filesize
3.6MB

MD5
435f8387b6f8999c77168572b8b48884

SHA1
2ebe7bcba306437068073b66858cc4e5b45203a2

SHA256
beb363bb3a9df9aa6bf7a8ca432494ed63cbfd6b8b744ea0fb5bce9a73a71d3e

SHA512
478ab2a58fcadd3c6ddd721f0ed89ee08121eb298e86508f2b3398eeaf7cadcc7976136754c8926b8fffe380fa0e7cc701b8a93aea32806dc5a9950823e43022

Download Submit
/data/user/0/com.payment.whale/app_DynamicOptDex/anyOSUp.json

Filesize
3.6MB

MD5
96b1a5462bede312113ea1aa86407aa1

SHA1
0e038706aa39226e130552e80dacb1976fc60da5

SHA256
96b187cbda3239fd0e0a691c69578cd1ba59fdd976afab49e689341a159b4608

SHA512
c3242d13108dbb23c52d56a156ed5d9297b1f24ebd1becdcf4a5d13dc69554cd666a79c4fcb87f73d444a4d02d00e95782360da2509101db05d898c3b2059ce6

Download Submit