Analysis

  • max time kernel
    636159s
  • max time network
    163s
  • platform
    android_x64
  • resource
    android-x64-20230831-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
  • submitted
    12-10-2023 22:00

General

  • Target

    d35d02cba96bd5cb9ef8e1eaa50a86eeb9e00cb5e345309471e8c28251efc125.apk

  • Size

    2.8MB

  • MD5

    161b718eac0fa3d2987d7ea37830d49d

  • SHA1

    2504194ac8fdbc893ee81ee83ec268600913462e

  • SHA256

    d35d02cba96bd5cb9ef8e1eaa50a86eeb9e00cb5e345309471e8c28251efc125

  • SHA512

    7f9cf9deb05bd4342ebd77230ed09b8f99a29fb9a7e6c33d796e7788b8a958d0d493d068167a13c4617346c0c0f1d038b4fd8631b7926696be47f266a9ef6b86

  • SSDEEP

    49152:PLzV33iA28pmNL+mbn112lZuF74jGCERrkD3jZsSAym4PMszFXK+VgrQ8a7W3++:PV33I9+2n1b54jRERrcSyQAFXK+Aa7WP

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.physical.leopard
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.physical.leopard/app_DynamicOptDex/LCT.json

    Filesize

    1.9MB

    MD5

    407f9739c29b4d420027213130eeabb6

    SHA1

    187e4acf1d330c33aa99f8963a12be258cd657c7

    SHA256

    a06b1036c7e2290a95621625bf49e3a465a72fe04b1292c077eb2a38f602ec57

    SHA512

    a48c431558486f6931b1c644fa6b2351a0b1d7b594ba8951a8a7c1ae7de210e6bc57d85b12ab84869dde5e780ca9e0c2e7877467df45ec0b815c87e304c27164

  • /data/data/com.physical.leopard/app_DynamicOptDex/LCT.json

    Filesize

    1.9MB

    MD5

    61e64f1ea4f49d9a99b320c43319bf7b

    SHA1

    01c31d9dcd9bc4caa1180c255962a50458a45466

    SHA256

    88f048446431c6c0f2223f8589f3fa4ac670c69ef725c8c05a1a5d34c99bd798

    SHA512

    ab3128176bf909c7a675eb4985e98b932b382c5197e84dc6a82efe5e96badffd772fe758c4da0ad8dee5527ac2d4e888ca0685ea048ca626746bf3e25beed63e

  • /data/user/0/com.physical.leopard/app_DynamicOptDex/LCT.json

    Filesize

    5.0MB

    MD5

    ef08be94dc39ef27d9f30ba9d3c4d066

    SHA1

    a3c00ba5dfc5b2a2f00abeebbe4fb4dc9770907d

    SHA256

    8123ad26aabdc6e35d0af9af0a0f423bc07285c7fc1467258f2984377f0071b1

    SHA512

    b658ef193d33d5471a0631da739a8a741179e33f52ed7c102f341f7cfb7a4abfb29962ca1d7c5a4ec158f1fb2809710636fb4b17608d4daf6a29c22ff09ce30a