hydra | 75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0

Analysis

max time kernel
2352874s
max time network
147s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0.apk
Size

3.2MB
MD5

abcef2353f293e694fe3073b53528441
SHA1

0ecf181ad163bf5dc4e316ac61b3d2453ade356c
SHA256

75f9f66bcbfb732b3720f9b56a5b56a3a671ff4386b0b7dc8195124b0db206c0
SHA512

253a63c8c677826085727ef6d73b01142503424c3f952515bd9e6bfe0b4900e9c1b08faeb98f3790042255994ff9d57f274066315981711c0f32e1936bf3a608
SSDEEP

98304:Vz2v/oOd4+e/h8WBJbiBUUPBnzvU0C/MHpCNnvB:koJ+e/h8WfmBxVRqMJC/

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

resource	yara_rule
behavioral1/memory/4275-0.dex	family_hydra1
behavioral1/memory/4275-0.dex	family_hydra2
behavioral1/memory/4249-0.dex	family_hydra1
behavioral1/memory/4249-0.dex	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.knee.grit
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.knee.grit

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json	4275	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.knee.grit/app_DynamicOptDex/oat/x86/Cb.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json	4249	com.knee.grit

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.knee.grit

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

com.knee.grit
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.knee.grit/app_DynamicOptDex/oat/x86/Cb.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4275

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
1.9MB

MD5
fb546b96e7982734b8c2fcd30400e7ab

SHA1
bc506453e267ae32c2941bfddecc845140b019d9

SHA256
385151bb68cbdd60ea8c33c112a7cd38add4d8a16aefca8ab5567527725c753e

SHA512
5646c3f0a8730cb1951cff3f5a5afd545211c7058f89e4c4935171996c7581a6b61ae7cadd9a44d85e12e2f30bcdd8fcaf5d3a229ded045880a0cb0c64e1f7f3

Download Submit
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
5.0MB

MD5
ff0de7a8ac12629d79bae6473713782e

SHA1
c781723078414eed414d1130d4c2833afb12337e

SHA256
995c8aa9282b8e9d3a250beb8f2d15626186b58d76c86e7e3d147c0c00a7799b

SHA512
24f5a065613716ff9fdcbc4c3a738eba8dae0c66064152bb8e4cf347b3216dc6aef2bd98e39a768c3e227a60282772c162da2d836b4e4818aeb655b850067942

Download Submit
/data/user/0/com.knee.grit/app_DynamicOptDex/Cb.json

Filesize
5.0MB

MD5
d95f1101eeab1f220343e0ed048ef7c0

SHA1
cdc16afc942ad5a8d4b6ceae23edbcfa67ecd01a

SHA256
33da05b58fd65c304b74a640a9851b5f6783ee6a7272e4b60908663c35fea4b7

SHA512
166a8d8e20046d6437da342e01203aa951b68eb1bc4da8d2b7ec6ac1a4a73a4121a49df7e4ebd27bf48a51b5050c36cbb836cce747c50bdeb4ac0254b783497f

Download Submit