hydra | 1ebdbd1ae10055d0dc0d56944788df673b866d6fdcf9d9b071b9a5d8798d6dda

Analysis

max time kernel
1091866s
max time network
128s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
13-10-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ebdbd1ae10055d0dc0d56944788df673b866d6fdcf9d9b071b9a5d8798d6dda.apk
Size

3.3MB
MD5

8530ca90408626a621b4d13993f693fe
SHA1

12fccd12017eaa691d5decc67587807972214518
SHA256

1ebdbd1ae10055d0dc0d56944788df673b866d6fdcf9d9b071b9a5d8798d6dda
SHA512

d7fb121cc8db08a0692c2cb5fc7757215333ea59079cbfb9cd5680e8bca2de85c3d1fb7af43b402c94f1d60a6926da8e795c430628165ada0ebe5b211e418e6b
SSDEEP

98304:eYt86ltxMwBlAVKKF8EfRtG/tTHBbsngT:xt86nxbBSlpRtGBl

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://carmonuletusoaszs.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU	family_hydra2
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.ougagexwa.jrtesxwrb

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ougagexwa.jrtesxwrb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.ougagexwa.jrtesxwrb

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/oat/x86/base.apk.H8ge9gd1.odex --compiler-filter=quicken --class-loader-context=&com.ougagexwa.jrtesxwrb

ioc	pid	process
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU	4219	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/oat/x86/base.apk.H8ge9gd1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU	4191	com.ougagexwa.jrtesxwrb

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.ougagexwa.jrtesxwrb

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.ougagexwa.jrtesxwrb
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Reads information about phone network operator.

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.ougagexwa.jrtesxwrb

flow	ioc
12	ip-api.com

com.ougagexwa.jrtesxwrb
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4191

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/oat/x86/base.apk.H8ge9gd1.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4219

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/tmp-base.apk.H8ge9gd5418967504989215979.jpU
Filesize
1.9MB

MD5
47467f1ec1f2dca1c7ac509e0e63460b

SHA1
2b5f37d94bad9b8f3aaced07538526dcae44a5ab

SHA256
0f0dedd2754e8909316e082408869ece2ec78390f7fc408dfbc284f279c4fa86

SHA512
1522c53cbffb58d8de51299f48ab9d1a31048de99e2a9bca1a7df74859fa7ee7a14fbf9e996327f4a0e54bebc70be27ad7f7bb37d59813b012aa1f73b2b3cc1f

Download Submit
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU
Filesize
5.2MB

MD5
70e53cad290baf05cc0526dcee59dd83

SHA1
ffb0ce26c8d787d9be117f26b6c95f9a90240b8c

SHA256
0591acdc9325f8fedaba9c368246f3bc02f48153fb693ee28436127434d3332a

SHA512
0850590c89051c6d8462a385222c3a329b91e128e3cc9b8fea4d7e6b8607aaf520b0ed033f6cd2e7fc88604b3135c8006c6cde2629b8625edfecaabca26547d2

Download Submit
/data/user/0/com.ougagexwa.jrtesxwrb/TgeIuagg88/iiHt8Ufp6uGUauI/base.apk.H8ge9gd1.jpU
Filesize
5.2MB

MD5
6b4852b07b89e9583c9b0ca22bdc41ad

SHA1
8fd89f115c7d5cb73cf279244bdc6566c6eab1cb

SHA256
342dd054b57bff99183c8ed34b7d960b0fecf76ecf55fbd44bc920d552e9fab1

SHA512
115ca86e212fa1af32da1e3c37b28dcfdaa868fda69a78b212746358eb229e3633ca227ea3119086ceb73d59cc7ccbf8e57087cd9dc578059a98a67e23381578

Download Submit