Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7390baefed2...1e.apk
android-9-x86
10390baefed2...1e.apk
android-10-x64
10390baefed2...1e.apk
android-11-x64
10disney.js
windows7-x64
1disney.js
windows10-2004-x64
1googlephoto.js
windows7-x64
1googlephoto.js
windows10-2004-x64
1hbomax.js
windows7-x64
1hbomax.js
windows10-2004-x64
1netflix.js
windows7-x64
1netflix.js
windows10-2004-x64
1web.js
windows7-x64
1web.js
windows10-2004-x64
1Analysis
-
max time kernel
588068s -
max time network
164s -
platform
android_x64 -
resource
android-x64-20230831-en -
resource tags
androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system -
submitted
11/10/2023, 17:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e.apk
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral4
Sample
disney.js
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
disney.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral6
Sample
googlephoto.js
Resource
win7-20230831-en
Behavioral task
behavioral7
Sample
googlephoto.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral8
Sample
hbomax.js
Resource
win7-20230831-en
Behavioral task
behavioral9
Sample
hbomax.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral10
Sample
netflix.js
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
netflix.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral12
Sample
web.js
Resource
win7-20230831-en
Behavioral task
behavioral13
Sample
web.js
Resource
win10v2004-20230915-en
General
-
Target
390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e.apk
-
Size
3.3MB
-
MD5
f8b60a66343ad882cb1cfece12e5b94e
-
SHA1
0e17700551d094a8c6c1fedc6d1f114fa5ace804
-
SHA256
390baefed293313a4d6fdb37fe774090249455011e5fe82f44afca467f62881e
-
SHA512
379fd7f886b789ad32f2e3989c2f9421099dcf5db0b977c6196680da61cab291ff6635b537a5a3f902877baf0bf7da7f84a9ea4ba088879431b8276d91a0d85e
-
SSDEEP
98304:Smj38THkGH+he0YwzMlmW1yM/th0MyIEZWbPQqx:R87kGebYwzMUAV/T0My1ZWD3x
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/memory/5057-0.dex family_hydra1 behavioral2/memory/5057-0.dex family_hydra2 -
Makes use of the framework's Accessibility service. 2 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.glad.word Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.glad.word -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.glad.word/app_DynamicOptDex/GWHMtIa.json 5057 com.glad.word -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com 46 ip-api.com -
Reads information about phone network operator.
Processes
Network
-
Remote address:172.217.168.234:80RequestGET /generate_204 HTTP/1.1
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
Host: play.googleapis.com
Accept-Encoding: gzip
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Thu, 12 Oct 2023 08:39:56 GMT
Connection: close
-
Remote address:142.250.179.138:80RequestGET /generate_204 HTTP/1.1
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36
Host: play.googleapis.com
Accept-Encoding: gzip
ResponseHTTP/1.1 204 No Content
Cross-Origin-Resource-Policy: cross-origin
Date: Thu, 12 Oct 2023 08:39:58 GMT
Connection: close
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN A
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN A
-
Remote address:1.1.1.1:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.109.133
-
Remote address:185.199.111.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 29C8:E8A6:187CB8E:19741E6:6527B0D3
Accept-Ranges: bytes
Date: Thu, 12 Oct 2023 08:40:04 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21061-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1697100005.880437,VS0,VE2
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: dfa4a2d43b0d4d563db6331bcdc2fa007e15dcd3
Expires: Thu, 12 Oct 2023 08:45:04 GMT
Source-Age: 17
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.179.168
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN A
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN A
-
Remote address:1.1.1.1:53Requestip-api.comIN A
-
Remote address:1.1.1.1:53Requestip-api.comIN A
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN AResponseinfinitedata-pa.googleapis.comIN A142.250.179.170infinitedata-pa.googleapis.comIN A142.250.179.202infinitedata-pa.googleapis.comIN A172.217.23.202infinitedata-pa.googleapis.comIN A142.251.36.42infinitedata-pa.googleapis.comIN A142.250.179.138infinitedata-pa.googleapis.comIN A142.251.36.10infinitedata-pa.googleapis.comIN A172.217.168.202infinitedata-pa.googleapis.comIN A142.251.39.106infinitedata-pa.googleapis.comIN A216.58.214.10
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.251.39.110
-
Remote address:1.1.1.1:53Requestip-api.comIN A
-
Remote address:1.1.1.1:53Requestip-api.comIN A
-
Remote address:185.199.111.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
Accept-Ranges: bytes
Date: Thu, 12 Oct 2023 08:41:16 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21062-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1697100077.574499,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9387a01187ff8bbbea27fb4c859c27b91e788109
Expires: Thu, 12 Oct 2023 08:46:16 GMT
Source-Age: 17
-
Remote address:185.199.111.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
Accept-Ranges: bytes
Date: Thu, 12 Oct 2023 08:41:36 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21038-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1697100097.567727,VS0,VE4
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 5f776928ec8af4c1e9d4326a58eab772b3316852
Expires: Thu, 12 Oct 2023 08:46:36 GMT
Source-Age: 37
-
Remote address:185.199.111.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 29C8:E8A6:187FA61:1977213:6527B11A
Accept-Ranges: bytes
Date: Thu, 12 Oct 2023 08:41:56 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21053-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1697100117.582507,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 52946d10036092ea831e5798d678b1391d2f474e
Expires: Thu, 12 Oct 2023 08:46:56 GMT
Source-Age: 57
-
Remote address:185.199.111.133:443RequestGET /dyd1y/tor-files/main/all_tor.zip HTTP/1.1
Range: bytes=0-
Authorization: token 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
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: raw.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 404 Not Found
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 427C:7191:1F40162:207FEFE:6527B15A
Accept-Ranges: bytes
Date: Thu, 12 Oct 2023 08:42:16 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21053-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1697100137.588409,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 58948c6418a2aaf20b9a28a0c311aa69fec31e04
Expires: Thu, 12 Oct 2023 08:47:16 GMT
Source-Age: 13
-
485 B 414 B 5 5
HTTP Request
GET http://play.googleapis.com/generate_204HTTP Response
204 -
485 B 414 B 5 5
HTTP Request
GET http://play.googleapis.com/generate_204HTTP Response
204 -
1.4kB 5.5kB 9 7
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.2kB 5.6kB 7 5
-
793 B 5.4kB 8 7
-
1.2kB 40 B 1 1
-
4.6kB 8.4kB 13 19
-
128 B 40 B 2 1
-
128 B 40 B 2 1
-
1.3kB 1.6kB 7 6
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.3kB 1.6kB 7 6
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.3kB 2.5kB 8 7
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.3kB 1.6kB 7 6
HTTP Request
GET https://raw.githubusercontent.com/dyd1y/tor-files/main/all_tor.zipHTTP Response
404 -
1.3kB 1.6kB 7 6
-
3.7kB 11
-
152 B 2
DNS Request
infinitedata-pa.googleapis.com
DNS Request
infinitedata-pa.googleapis.com
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.111.133185.199.110.133185.199.108.133185.199.109.133
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.179.168
-
152 B 2
DNS Request
infinitedata-pa.googleapis.com
DNS Request
infinitedata-pa.googleapis.com
-
112 B 2
DNS Request
ip-api.com
DNS Request
ip-api.com
-
76 B 220 B 1 1
DNS Request
infinitedata-pa.googleapis.com
DNS Response
142.250.179.170142.250.179.202172.217.23.202142.251.36.42142.250.179.138142.251.36.10172.217.168.202142.251.39.106216.58.214.10
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.251.39.110
-
112 B 2
DNS Request
ip-api.com
DNS Request
ip-api.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b91c5947c02acaaec25a8ad1d9dd9ceb
SHA1aabe47c378c2494530a4f052925fd36db569a082
SHA2564fbf723701a167114afa782a78078e108175af7eeac7b63aaeea2129eb3232e0
SHA5127bc49c0c43b39197c70c5b1405b8a682b29b61cc1d1effbd65a807797914d4ece7e454b550e63df4f31b037ca4d2728a39fb105ff06717f6ccd1035dc6e27b03
-
Filesize
1.9MB
MD51c0df5829844fd96e982249581eeb1f8
SHA1bba71fecba984a32ca8a98293ea818377cd54990
SHA256dbf3455a92dd10a27aeb007054e90f0ae9852d89c240ef402e760ad3d228a5a2
SHA512d214993c7354ed08d74ce360c0df4839f2099bf2dbcca649b1f1527d8850c8cacd4fff8cef5477cb6850975b470a86c685251441307f1290bbe57f7987f6da9a
-
Filesize
1KB
MD5d8010aafd0e00c440ff830ee8d9ae2a3
SHA14713558e92285620b14e5369499f76c3df417548
SHA256c05e27f48c8de2e1b7903c3220ba63d3d6b7e22422463645d332581d6b7deb35
SHA51211e863a211bc790c8edaa84ed8c1fd4f5360a6e124ab76b2953d286baede7ac96f89fb034ec47faf68af4ab0fcdacec8c22d5b50b1b2569b7ccb04e6b11998e5
-
Filesize
5.0MB
MD533c7c9950172a836259776101bcac096
SHA1f5c8598a28eec0bebf7e07fc23512c89b30472d6
SHA256dc302c0fd08473b5916fc3d26a8035df332391d9535da610c52fcb2ec48d55ef
SHA51275b0ed13a94fabe307c48971cf13150c9c3ab9f4c4128bcb1d71519b4d2aff2221f72e7174970b468ff00b09ad9c9ac613e6de586668fc6f9ed085366b35286d