Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    588068s
  • max time network
    164s
  • platform
    android_x64
  • resource
    android-x64-20230831-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
  • submitted
    11/10/2023, 17:25 UTC

General

  • Target

    390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e.apk

  • Size

    3.3MB

  • MD5

    f8b60a66343ad882cb1cfece12e5b94e

  • SHA1

    0e17700551d094a8c6c1fedc6d1f114fa5ace804

  • SHA256

    390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e

  • SHA512

    379fd7f886b789ad32f2e3989c2f9421099dcf5db0b977c6196680da61cab291ff6635b537a5a3f902877baf0bf7da7f84a9ea4ba088879431b8276d91a0d85e

  • SSDEEP

    98304:Smj38THkGH+he0YwzMlmW1yM/th0MyIEZWbPQqx:R87kGebYwzMUAV/T0My1ZWD3x

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.glad.word
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:5057

Network

  • flag-nl
    GET
    http://play.googleapis.com/generate_204
    Remote address:
    172.217.168.234:80
    Request
    GET /generate_204 HTTP/1.1
    Connection: close
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
    Host: play.googleapis.com
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Thu, 12 Oct 2023 08:39:56 GMT
    Connection: close
  • flag-nl
    GET
    http://play.googleapis.com/generate_204
    Remote address:
    142.250.179.138:80
    Request
    GET /generate_204 HTTP/1.1
    Connection: close
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
    Host: play.googleapis.com
    Accept-Encoding: gzip
    Response
    HTTP/1.1 204 No Content
    Content-Length: 0
    Cross-Origin-Resource-Policy: cross-origin
    Date: Thu, 12 Oct 2023 08:39:58 GMT
    Connection: close
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    raw.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.111.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 29C8:E8A6:187CB8E:19741E6:6527B0D3
    Accept-Ranges: bytes
    Date: Thu, 12 Oct 2023 08:40:04 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21061-AMS
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1697100005.880437,VS0,VE2
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: dfa4a2d43b0d4d563db6331bcdc2fa007e15dcd3
    Expires: Thu, 12 Oct 2023 08:45:04 GMT
    Source-Age: 17
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.179.168
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
    Response
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.170
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.202
    infinitedata-pa.googleapis.com
    IN A
    172.217.23.202
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.42
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.138
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.10
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.202
    infinitedata-pa.googleapis.com
    IN A
    142.251.39.106
    infinitedata-pa.googleapis.com
    IN A
    216.58.214.10
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.251.39.110
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.111.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
    Accept-Ranges: bytes
    Date: Thu, 12 Oct 2023 08:41:16 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21062-AMS
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1697100077.574499,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 9387a01187ff8bbbea27fb4c859c27b91e788109
    Expires: Thu, 12 Oct 2023 08:46:16 GMT
    Source-Age: 17
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.111.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
    Accept-Ranges: bytes
    Date: Thu, 12 Oct 2023 08:41:36 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21038-AMS
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1697100097.567727,VS0,VE4
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 5f776928ec8af4c1e9d4326a58eab772b3316852
    Expires: Thu, 12 Oct 2023 08:46:36 GMT
    Source-Age: 37
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.111.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
    Accept-Ranges: bytes
    Date: Thu, 12 Oct 2023 08:41:56 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21053-AMS
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1697100117.582507,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 52946d10036092ea831e5798d678b1391d2f474e
    Expires: Thu, 12 Oct 2023 08:46:56 GMT
    Source-Age: 57
  • flag-us
    GET
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    Remote address:
    185.199.111.133:443
    Request
    GET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
    Range: bytes=0-
    Authorization: token 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
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 427C:7191:1F40162:207FEFE:6527B15A
    Accept-Ranges: bytes
    Date: Thu, 12 Oct 2023 08:42:16 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21053-AMS
    X-Cache: HIT
    X-Cache-Hits: 0
    X-Timer: S1697100137.588409,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 58948c6418a2aaf20b9a28a0c311aa69fec31e04
    Expires: Thu, 12 Oct 2023 08:47:16 GMT
    Source-Age: 13
  • 172.217.168.234:80
    http://play.googleapis.com/generate_204
    http
    485 B
    414 B
    5
    5

    HTTP Request

    GET http://play.googleapis.com/generate_204

    HTTP Response

    204
  • 142.250.179.138:80
    http://play.googleapis.com/generate_204
    http
    485 B
    414 B
    5
    5

    HTTP Request

    GET http://play.googleapis.com/generate_204

    HTTP Response

    204
  • 185.199.111.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.4kB
    5.5kB
    9
    7

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 142.250.179.168:443
    ssl.google-analytics.com
    tls
    1.2kB
    5.6kB
    7
    5
  • 142.250.179.170:443
    infinitedata-pa.googleapis.com
    tls
    793 B
    5.4kB
    8
    7
  • 172.217.23.202:443
    infinitedata-pa.googleapis.com
    tls, https
    1.2kB
    40 B
    1
    1
  • 142.251.39.110:443
    android.apis.google.com
    tls
    4.6kB
    8.4kB
    13
    19
  • 142.251.39.110:443
    android.apis.google.com
    tls, https
    128 B
    40 B
    2
    1
  • 142.251.39.110:443
    android.apis.google.com
    tls, https
    128 B
    40 B
    2
    1
  • 185.199.111.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.3kB
    1.6kB
    7
    6

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.111.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.3kB
    1.6kB
    7
    6

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.111.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.3kB
    2.5kB
    8
    7

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.111.133:443
    https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip
    tls, http
    1.3kB
    1.6kB
    7
    6

    HTTP Request

    GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zip

    HTTP Response

    404
  • 185.199.111.133:443
    raw.githubusercontent.com
    tls
    1.3kB
    1.6kB
    7
    6
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    152 B
    2

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Request

    infinitedata-pa.googleapis.com

  • 1.1.1.1:53
    raw.githubusercontent.com
    dns
    71 B
    135 B
    1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.110.133
    185.199.108.133
    185.199.109.133

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.179.168

  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    152 B
    2

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Request

    infinitedata-pa.googleapis.com

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
    2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    76 B
    220 B
    1
    1

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Response

    142.250.179.170
    142.250.179.202
    172.217.23.202
    142.251.36.42
    142.250.179.138
    142.251.36.10
    172.217.168.202
    142.251.39.106
    216.58.214.10

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.251.39.110

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
    2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.glad.word/app_DynamicOptDex/GWHMtIa.json

    Filesize

    1.9MB

    MD5

    b91c5947c02acaaec25a8ad1d9dd9ceb

    SHA1

    aabe47c378c2494530a4f052925fd36db569a082

    SHA256

    4fbf723701a167114afa782a78078e108175af7eeac7b63aaeea2129eb3232e0

    SHA512

    7bc49c0c43b39197c70c5b1405b8a682b29b61cc1d1effbd65a807797914d4ece7e454b550e63df4f31b037ca4d2728a39fb105ff06717f6ccd1035dc6e27b03

  • /data/data/com.glad.word/app_DynamicOptDex/GWHMtIa.json

    Filesize

    1.9MB

    MD5

    1c0df5829844fd96e982249581eeb1f8

    SHA1

    bba71fecba984a32ca8a98293ea818377cd54990

    SHA256

    dbf3455a92dd10a27aeb007054e90f0ae9852d89c240ef402e760ad3d228a5a2

    SHA512

    d214993c7354ed08d74ce360c0df4839f2099bf2dbcca649b1f1527d8850c8cacd4fff8cef5477cb6850975b470a86c685251441307f1290bbe57f7987f6da9a

  • /data/data/com.glad.word/app_DynamicOptDex/oat/GWHMtIa.json.cur.prof

    Filesize

    1KB

    MD5

    d8010aafd0e00c440ff830ee8d9ae2a3

    SHA1

    4713558e92285620b14e5369499f76c3df417548

    SHA256

    c05e27f48c8de2e1b7903c3220ba63d3d6b7e22422463645d332581d6b7deb35

    SHA512

    11e863a211bc790c8edaa84ed8c1fd4f5360a6e124ab76b2953d286baede7ac96f89fb034ec47faf68af4ab0fcdacec8c22d5b50b1b2569b7ccb04e6b11998e5

  • /data/user/0/com.glad.word/app_DynamicOptDex/GWHMtIa.json

    Filesize

    5.0MB

    MD5

    33c7c9950172a836259776101bcac096

    SHA1

    f5c8598a28eec0bebf7e07fc23512c89b30472d6

    SHA256

    dc302c0fd08473b5916fc3d26a8035df332391d9535da610c52fcb2ec48d55ef

    SHA512

    75b0ed13a94fabe307c48971cf13150c9c3ab9f4c4128bcb1d71519b4d2aff2221f72e7174970b468ff00b09ad9c9ac613e6de586668fc6f9ed085366b35286d

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.