hydra | 800314641bb3520cdd6b776fec1ad58abc50164c452d3bf350b7d1fd7c3abf88

Analysis

max time kernel
528098s
max time network
131s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
11-10-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

800314641bb3520cdd6b776fec1ad58abc50164c452d3bf350b7d1fd7c3abf88.apk
Size

3.3MB
MD5

d27538ac77db11598e49713982d2e7d9
SHA1

5a44571b96e002d7faaba95d49d16bd1d296fe98
SHA256

800314641bb3520cdd6b776fec1ad58abc50164c452d3bf350b7d1fd7c3abf88
SHA512

49eb797e7ff6e2ddef7978bc32280eec6dcd4c5a55674ddafcd515089629c68c8c49ef6f44c86d76dd668584f79e332f9b7bc1c08640d6307f5dcbd0d31dd4b5
SSDEEP

98304:je5ZHZmUaOg6DL1TYMAX9Xam0iRVbS7DtSjpYkyAGSMlx4:a5NdaOD/5k9am0ibbSsj+JAGLE

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://dolliemcnamara85483.top

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

resource	yara_rule
behavioral2/memory/4210-0.dex	family_hydra1
behavioral2/memory/4210-0.dex	family_hydra2
behavioral2/memory/4183-0.dex	family_hydra1
behavioral2/memory/4183-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.piece.slot
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.piece.slot

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json	4210	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.piece.slot/app_DynamicOptDex/oat/x86/QfGRuK.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json	4183	com.piece.slot

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.piece.slot

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Reads information about phone network operator.

com.piece.slot
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4183
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.piece.slot/app_DynamicOptDex/oat/x86/QfGRuK.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4210

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.piece.slot/app_DynamicOptDex/QfGRuK.json

Filesize
1.3MB

MD5
805946060690b212c10f94df302006de

SHA1
8a0be46ee48ba29c57fc59840f7fdb2b436f93cf

SHA256
dde0a8a189d98137d043d867cad77f26773b254801e03ab0a43c4391bd354a25

SHA512
6c1101844e05c85dd81a70903f7725b48e0824eecb0d5bbacb9aa9ab2a6ce9d047a5fac155575241f035eb3f16488742b50fe7fd169cdd7c6c03e8c50c215d2c

Download Submit
/data/data/com.piece.slot/app_DynamicOptDex/QfGRuK.json

Filesize
1.3MB

MD5
93434c58ce91ffde5e52a574653d9209

SHA1
4527bb56180ae1f7b7cd04d92c945cf9bbb99db8

SHA256
025fff19f5961d895f3b761d1a8665be4edf3cf079d11f852287e3b4ab944fc2

SHA512
bfb6f24c0f7f7d541ef552b7ee41621c552ebcf036309e4d8d3891fa951d57623d09bf9c8e8310c7bd15e0e76c8a1b8559e7f9aa97a78a14d29e59fa2ff76830

Download Submit
/data/data/com.piece.slot/app_DynamicOptDex/oat/QfGRuK.json.cur.prof

Filesize
1KB

MD5
78ab5c97443a13f87e6f2dd5f30f5625

SHA1
0c97317188ea285f51e403c544c57182fcc2c580

SHA256
dd5b224f0d0f540082f4da3e9fff3a98e216b4506f3b1d55cf47f65d8f9b7028

SHA512
b3595d7279c1aee3eae4176db8668fbeaa6735a5b46ab738d9d73376ca7a1f8b36cbff207fd8b444dfd64772b11ef4288f394cc0c955aecc32263297d1731be5

Download Submit
/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json

Filesize
3.6MB

MD5
6e011cfee4d7d6ef1411b65a57782145

SHA1
27c4bf55a032e50fdf909803144fa92940cdddfd

SHA256
9f71e6ce538ab61af128518bf65848f07f8e2392d9f969ea806ab91a9b4f8d55

SHA512
abdd44791347dd26d4cd91ef7791d0948b2c3ab4e6f2c9d6ee13fcf2e32427c5efa24a7d57f3a7d620cf73acc1dfa658a9a009dbabdbbe1f8b9309cd9b708515

Download Submit
/data/user/0/com.piece.slot/app_DynamicOptDex/QfGRuK.json

Filesize
3.6MB

MD5
4169dbf7104b8c87b3aaeb6126f085e3

SHA1
ad49472bf0a41ff8392531b2f7002b54ef722dc9

SHA256
c22a9b2bbe5ad70fe85bf2604c0536493ac6c0ce314c16854a855eae2f50ba93

SHA512
1b997729320e97ec9c5c5de23ee540a6f5758d419d6a776c6f4856954467439a451bbcf535c2c868c77c549c3d929857a995572441d69deb04f4520a38f0e08c

Download Submit