hydra | c41eb0c8ad6b311a8eabd431fecbfc3ff578514189c5a75d65604316546cb368

Analysis

max time kernel
1068142s
max time network
131s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
17-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c41eb0c8ad6b311a8eabd431fecbfc3ff578514189c5a75d65604316546cb368.apk
Size

3.0MB
MD5

bc34c1b3599c5d369491c763c9c4813a
SHA1

d21f63841d0a8827bb8f40d8e6cfddeb50ba6086
SHA256

c41eb0c8ad6b311a8eabd431fecbfc3ff578514189c5a75d65604316546cb368
SHA512

1815ce8a2423d4cdd4982392f3de8b75e3dae75b7e9d682368db7227f5f29da70c0a24fdc878fc02761e621e6f7e744f4f65d26450ae86bb0bae6eafc3a82c70
SSDEEP

49152:T8krsWTxBtwrjxS+LxIvKwwc5gsvL0m2zcTqSYi0J0801E/HnNAiPcl1dIpkJjRd:45VxxPJsT0m9qSYVNASMX1wEjH

Score

10^/10

hydra banker infostealer trojan

Malware Config

Extracted

Family

hydra

http://wandawolmentokez.com

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

resource	yara_rule
behavioral1/memory/4233-0.dex	family_hydra1
behavioral1/memory/4233-0.dex	family_hydra2
behavioral1/memory/4205-0.dex	family_hydra1
behavioral1/memory/4205-0.dex	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.exhaust.shed
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.exhaust.shed

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json	4233	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.exhaust.shed/app_DynamicOptDex/oat/x86/kGp.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json	4205	com.exhaust.shed

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
12	ip-api.com

Reads information about phone network operator.

com.exhaust.shed
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4205
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.exhaust.shed/app_DynamicOptDex/oat/x86/kGp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4233

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.exhaust.shed/app_DynamicOptDex/kGp.json

Filesize
973KB

MD5
0ff317d630a8537c52aff1d7c8c41242

SHA1
72e5447e409509732e60229cf1939d156e879f6f

SHA256
1dbce6b9fac5b443a59c9c03d31dde3a34319d9b77b76db2b7f509d4a95a2c74

SHA512
e5179bcafa57d60a6d26db5235f2b085e17179d1cbc7b27e87a9f3971af734b1c3d7df5e0701031804d876d9445c7f4afbdf9c39a0c45b837c0c1475fd1421bb

Download Submit
/data/data/com.exhaust.shed/app_DynamicOptDex/kGp.json

Filesize
973KB

MD5
bc30d59661045c0900729d7054aa1522

SHA1
24524b50319c59b22b3373de021c3b9493543498

SHA256
d26a5574dd9239f27196f163d272bcbd2611f6fec6cf05f48fdc58e5916ea8aa

SHA512
9d30f8e0e8018d8912076dd1cb84a205753b280c915e7ca6321c738961e4582d880c3aa7a0013a448ea227d6c7e0e25d94e058af0c0f994ffc0e8d509f6b19ff

Download Submit
/data/data/com.exhaust.shed/app_DynamicOptDex/oat/kGp.json.cur.prof

Filesize
1KB

MD5
3b90b4b737ffe0a365985676f4f870e9

SHA1
bcc85fe86f270874fcf6eda03e110be91337cc98

SHA256
8f3723c42a6aa90c2b66a008764c76cb3d0d46cc338f9acd3d013a59fbac1e30

SHA512
56226ee5f2220a357d07b25fb077d754760d5c38a0cf715c67b6a09ea43e1251b6ec03bce9ee56e9deabebcbfff1a8bacf9f8e640a6f1199eb015534f9d41835

Download Submit
/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json

Filesize
2.2MB

MD5
edd5b34c19b7a2ac1f60a68eb9eaabaf

SHA1
fa4db23cc64725186983099a2ec0bf89943cde84

SHA256
a00a64aefb6a533b3908e2255c0dc1dcab6db364f0ebc18bd6690655787e1f9a

SHA512
bfc09c31146921806eab67cbd107767c95111bfb03298ec94f8e845a23fbf8f5cf0442b6b444139b902c57136f35e9fcfcda6161d21aa6f2d91f742d97b9c149

Download Submit
/data/user/0/com.exhaust.shed/app_DynamicOptDex/kGp.json

Filesize
2.2MB

MD5
481a5e28db38dfa53ff9c07fe433e1a8

SHA1
71a7e81b6abdc8813dbbd2009106cc70325db4c1

SHA256
266ce8f9574d517f9726134c8b4f748699def03c85a414e38a247e369334eb56

SHA512
9e248eada176f3ab7a56539ed3c7d8b0cac57b95cec88051fc702cdc17af1f86799e5300f341f8f6b621a7d7706bc98d3fb3052ed34b645eac2e5be87db7224e

Download Submit