Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4265243s
  • max time network
    166s
  • platform
    android_x64
  • resource
    android-x64-20231023.1-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
  • submitted
    23/11/2023, 22:01 UTC

General

  • Target

    a4b86f0f8e904e8d8f3472b04c3054b004a503a5ace1c6409f7f55b7c0e62cd7.apk

  • Size

    1.9MB

  • MD5

    6c0f7526671497f0a925a16d2e7234ce

  • SHA1

    c8d160e6b568e2db42ebe618ee8aa3c57cc45310

  • SHA256

    a4b86f0f8e904e8d8f3472b04c3054b004a503a5ace1c6409f7f55b7c0e62cd7

  • SHA512

    a2c37a78561cbb444492ee574a081715562ecf7b694e83058981b6b6d957132aba68d941fe4a79bd4bde35a22477a7e5fd90ba96a8601bb573c5d2f188e4c3d2

  • SSDEEP

    49152:/VP5Iq9H7Ec/HFV3Xvk8lzWJI6e6VdQEjDBs:/f77EWlZXZWRVSEj1s

Malware Config

Extracted

Family

hydra

C2

http://ihfwiohefwhiwririhererf.store

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.dress.pigeon
    1⤵
    • Makes use of the framework's Accessibility service.
    • Loads dropped Dex/Jar
    PID:5106

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.251.36.8
  • flag-us
    DNS
    ihfwiohefwhiwririhererf.store
    Remote address:
    1.1.1.1:53
    Request
    ihfwiohefwhiwririhererf.store
    IN A
  • flag-us
    DNS
    ihfwiohefwhiwririhererf.store
    Remote address:
    1.1.1.1:53
    Request
    ihfwiohefwhiwririhererf.store
    IN A
  • flag-us
    DNS
    ihfwiohefwhiwririhererf.store
    Remote address:
    1.1.1.1:53
    Request
    ihfwiohefwhiwririhererf.store
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.168.206
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • 172.217.23.202:443
    tls, https
    1.2kB
    40 B
    1
    1
  • 142.251.36.8:443
    ssl.google-analytics.com
    tls
    1.2kB
    5.6kB
    7
    5
  • 172.217.23.202:443
    tls, https
    6.9kB
    40 B
    1
    1
  • 172.217.168.206:443
    android.apis.google.com
    tls
    4.1kB
    8.0kB
    18
    17
  • 142.251.36.14:443
    520 B
    10
  • 172.217.168.226:443
    520 B
    10
  • 142.250.179.142:443
    tls, https
    128 B
    40 B
    2
    1
  • 216.58.208.110:443
    tls, https
    128 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.251.36.8

  • 1.1.1.1:53
    ihfwiohefwhiwririhererf.store
    dns
    150 B
    2

    DNS Request

    ihfwiohefwhiwririhererf.store

    DNS Request

    ihfwiohefwhiwririhererf.store

  • 1.1.1.1:53
    ihfwiohefwhiwririhererf.store
    dns
    75 B
    140 B
    1
    1

    DNS Request

    ihfwiohefwhiwririhererf.store

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.168.206

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
    2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
    2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dress.pigeon/app_DynamicOptDex/mL.json

    Filesize

    973KB

    MD5

    cec05dccd70934dd89864ccb3e1181e5

    SHA1

    3d8b400e2d684ad53be51f0f7ce4ab044f81fd28

    SHA256

    54a04510955b9d285044af0d0a3bb704db88cb6c57ccbbd45e326917019c581d

    SHA512

    62d206054eeecafbd93ae6401e47134241dfea368f4a9984d32fca7a72cebfa9787194e9b496873abc800e8c40aaa49339c698ed089064680d4bd154d2bcd631

  • /data/data/com.dress.pigeon/app_DynamicOptDex/mL.json

    Filesize

    973KB

    MD5

    1cfff3092a7c49e093def19e3ba245b0

    SHA1

    add0d4edff7d35ed60e5725447b0e527be16993e

    SHA256

    14162502f769f2b78815d5dad25df7a6e2756860e8bdd7f5cd5ad6c2406ed5af

    SHA512

    89259335c432a83dfb07f84cc4075a9c95cbcbff167dc771f9d6637df491e338c353809a0fcdb97ef0cb0623e72843e105ff4010dc01da8be0f90cd5b68a0100

  • /data/data/com.dress.pigeon/app_DynamicOptDex/oat/mL.json.cur.prof

    Filesize

    1KB

    MD5

    80d52dda73a346bb6932e96addb5ff30

    SHA1

    eac3199a1294124315967d774cbfa3df8174383f

    SHA256

    8fa6e1ff8aa0901b92bcd61b2fc81222d0a1cbf3639d3a849151cd0bd20661d4

    SHA512

    3121e715dca8a0579531c4b01ece69eabf1213707610c7b6737f72f31b6e3b892e6c1cc8fa9a69e25bfc966fdd59c03dc36681c10bb176d2615afec90dce959e

  • /data/user/0/com.dress.pigeon/app_DynamicOptDex/mL.json

    Filesize

    2.2MB

    MD5

    f1e4e15f6053f0b6d460b32d39e9c59a

    SHA1

    ff6a25fffa8fe34c9d0274a89d2b05963e97127e

    SHA256

    da1b508761ff1ff20564417804e02a3a058be3c12dafa6e559b43f33383b20ff

    SHA512

    76084bb959e5a86286d41432746e105a8f00c0213883a65168110721587ee02a6b24fe72f4445a11a4a59bd1055de2c35c98000965b9b0b6a0100fae549ea780

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.