hydra | d35d02cba96bd5cb9ef8e1eaa50a86eeb9e00cb5e345309471e8c28251efc125

Analysis

max time kernel
636147s
max time network
145s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
12-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35d02cba96bd5cb9ef8e1eaa50a86eeb9e00cb5e345309471e8c28251efc125.apk
Size

2.8MB
MD5

161b718eac0fa3d2987d7ea37830d49d
SHA1

2504194ac8fdbc893ee81ee83ec268600913462e
SHA256

d35d02cba96bd5cb9ef8e1eaa50a86eeb9e00cb5e345309471e8c28251efc125
SHA512

7f9cf9deb05bd4342ebd77230ed09b8f99a29fb9a7e6c33d796e7788b8a958d0d493d068167a13c4617346c0c0f1d038b4fd8631b7926696be47f266a9ef6b86
SSDEEP

49152:PLzV33iA28pmNL+mbn112lZuF74jGCERrkD3jZsSAym4PMszFXK+VgrQ8a7W3++:PV33I9+2n1b54jRERrcSyQAFXK+Aa7WP

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

resource	yara_rule
behavioral1/memory/4214-0.dex	family_hydra1
behavioral1/memory/4214-0.dex	family_hydra2
behavioral1/memory/4188-0.dex	family_hydra1
behavioral1/memory/4188-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.physical.leopard
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.physical.leopard

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json	4214	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.physical.leopard/app_DynamicOptDex/oat/x86/LCT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json	4188	com.physical.leopard

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.physical.leopard

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Reads information about phone network operator.

com.physical.leopard
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4188
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.physical.leopard/app_DynamicOptDex/oat/x86/LCT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4214

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.physical.leopard/app_DynamicOptDex/LCT.json

Filesize
1.9MB

MD5
407f9739c29b4d420027213130eeabb6

SHA1
187e4acf1d330c33aa99f8963a12be258cd657c7

SHA256
a06b1036c7e2290a95621625bf49e3a465a72fe04b1292c077eb2a38f602ec57

SHA512
a48c431558486f6931b1c644fa6b2351a0b1d7b594ba8951a8a7c1ae7de210e6bc57d85b12ab84869dde5e780ca9e0c2e7877467df45ec0b815c87e304c27164

Download Submit
/data/data/com.physical.leopard/app_DynamicOptDex/LCT.json

Filesize
1.9MB

MD5
61e64f1ea4f49d9a99b320c43319bf7b

SHA1
01c31d9dcd9bc4caa1180c255962a50458a45466

SHA256
88f048446431c6c0f2223f8589f3fa4ac670c69ef725c8c05a1a5d34c99bd798

SHA512
ab3128176bf909c7a675eb4985e98b932b382c5197e84dc6a82efe5e96badffd772fe758c4da0ad8dee5527ac2d4e888ca0685ea048ca626746bf3e25beed63e

Download Submit
/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json

Filesize
5.0MB

MD5
2f6314c18a995c8b3a9f3255d057fb62

SHA1
e0cdb0ce0479dea0b72313ce0f0c30f5d2f2ba4e

SHA256
8b855fa59344b4cf407202e1af167a28c7fdca3e403e595c8bce0c6a15d0df5b

SHA512
80d7f5b6df600726c4d67e618486443d1eb787c3c124bab66b9dfaddcb3cd69a1fdfa252174f70cceba306b26412d4b60ee2d4a3f5c2083bc22662fa3746cf75

Download Submit
/data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json

Filesize
5.0MB

MD5
ef08be94dc39ef27d9f30ba9d3c4d066

SHA1
a3c00ba5dfc5b2a2f00abeebbe4fb4dc9770907d

SHA256
8123ad26aabdc6e35d0af9af0a0f423bc07285c7fc1467258f2984377f0071b1

SHA512
b658ef193d33d5471a0631da739a8a741179e33f52ed7c102f341f7cfb7a4abfb29962ca1d7c5a4ec158f1fb2809710636fb4b17608d4daf6a29c22ff09ce30a

Download Submit