hydra | bfb16d1190106657d4f1c190c313a91a9563028c5f0b8b10f198f802f9bb3f8b

Analysis

max time kernel
1846168s
max time network
166s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
26-10-2023 22:01

Target

bfb16d1190106657d4f1c190c313a91a9563028c5f0b8b10f198f802f9bb3f8b.apk
Size

3.1MB
MD5

3e5ad285d52d85c21e90ef0745e500ba
SHA1

7102edcc2d35729840b6274b5ab23896797381d1
SHA256

bfb16d1190106657d4f1c190c313a91a9563028c5f0b8b10f198f802f9bb3f8b
SHA512

bab2dc47174d21842874c4ad9c8207bdd316df7e5dc0924e280b81d6d7758139a62af127720769daaf2f9428a61e42a35936cf0cca5345694d7d3c66250704d2
SSDEEP

98304:X4Cd1luEfq5SBBoera1l8Dalc/IeGhOIo/fqk:N1xrBj+8D0Mkhg/1

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json	family_hydra1
/data/user/0/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json	family_hydra2

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.fruit.marriage

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fruit.marriage
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fruit.marriage

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.fruit.marriage

ioc pid process

/data/user/0/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json 5016 com.fruit.marriage
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json	5016	com.fruit.marriage

flow	ioc
24	ip-api.com

com.fruit.marriage
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5016

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

/data/data/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json
Filesize
1.9MB

MD5
97bb4ae579d36530699dec1a49d3c417

SHA1
a2ef6d0178ca7d44ad5fec3a42f5710e80df1f6e

SHA256
6f408fa6631c5f577c0ee62488797338098b605313038609244b4a5e386dc6b6

SHA512
7aff3d423355cb6aa276339bad95b77322ae9a85156774a38f25b20ff03f7f28ee055e9df40e6cfe4873c225a750cb8c673dd46de6454cd3ff2f0a86f168d7ad

Download Submit
/data/data/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json
Filesize
1.9MB

MD5
744696ff4904370f4769ccbcb63ea7fc

SHA1
98402c822ac9db3d48b97941d4c2f53321c296e6

SHA256
48d8f27cec2497d47d92476297687d831d42f86d2ca9cc06947c99719324e473

SHA512
c71b406b5063244b00b23feeec8ff76e0b85171eedb54056269208b4d0f23b409bdd1c234a570ae9ab056d8be64a5c82f5711f350ceebdf0d249718f881bb97a

Download Submit
/data/user/0/com.fruit.marriage/app_DynamicOptDex/LmwqhB.json
Filesize
5.0MB

MD5
eebf7a0ab2e5e6f513cffe44f958d94a

SHA1
0f5b6ed97ec7988694ee3e1bbaec29e14a62c106

SHA256
2a0cfd07d7e8407a136d5034a982a7e6d9e1729813676395751626a58fe3b056

SHA512
f20698ba9b007515e3b49d4987e3b0c098eebac43ea4ffef86fe02265481cc0589ef847c500c2329aab2be1408fb4eb8773baf2ccc5b43719dd42ee3437bc60a

Download Submit