hydra | 73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975

Analysis

max time kernel
2285791s
max time network
155s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975.apk
Size

6.4MB
MD5

168b29ef92c0931eb31531fa049adc58
SHA1

02813110ec1d35371b69613b4226246c4745aa95
SHA256

73fcd12578ff36a3575898e5c2f6bf9bba7cfb40f936d2092c6f81ec7ebe8975
SHA512

e5f3788607294a31ccf41a6fde470ac08916eccdaca57caeb8cf2acf3e710f011e245bf91422c60fdef1a6a58ba9456f8e47ae0cda8882b57710a8c0259b88ce
SSDEEP

196608:UIOdjjuuxyUmCaK/fK/8K+t8qLpZ/7xceP77J:UIujjuukNKHk8VnH/FP7t

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u	family_hydra2
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.dazgytun.vfohonn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dazgytun.vfohonn
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dazgytun.vfohonn

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/oat/x86/base.apk.gFg88py1.odex --compiler-filter=quicken --class-loader-context=&com.dazgytun.vfohonn

ioc	pid	process
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u	4283	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/oat/x86/base.apk.gFg88py1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u	4254	com.dazgytun.vfohonn

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Reads information about phone network operator.

flow	ioc
14	ip-api.com

com.dazgytun.vfohonn
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4254

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/oat/x86/base.apk.gFg88py1.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4283

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/tmp-base.apk.gFg88py882639834246310533.F8u
Filesize
2.5MB

MD5
44e53de97db1542d9ab9a8da3da4a1ba

SHA1
3e4e002befe06f34bfbbdc97efd032eb7e731f68

SHA256
5d7891189f95ade89c65a5046e8cede2ba57e788f88fcb0da5cffe0dfdc83edc

SHA512
53c24e83010692f340850e062547f2a6c9b107f3b41dbda5dd05d72428069195620ef5285ef5cf94fa9542efe7c7b62510023c14c55a3d0aec0c85e8f619fb73

Download Submit
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u
Filesize
7.4MB

MD5
3420a89e97cc3827c4294fcd7c579897

SHA1
d89f9938b3f1b1f429e3c69ecfc7b319f9684065

SHA256
ab52f15ee05cbdfd9981e8c0650396e9af657e872491faa0c1442f1d933a4986

SHA512
47c369ad0298b5b96ae3a7dac9953771a9b8308ef225fbee26cd9c700ac50c9b5b56bd25ecd613aa9b27ccb70c5d403f41886c5edf72030ac503f263ac7e9970

Download Submit
/data/user/0/com.dazgytun.vfohonn/uIU7G8gH8F/HfgU98qGygiuyuI/base.apk.gFg88py1.F8u
Filesize
7.4MB

MD5
596ea494f59e8bf2768ce30a98a6ce06

SHA1
bf7ef788bfbf671f23617d5322ad1a7db4a27123

SHA256
13e0b11f7733a44824d0fd56034fcf43e2b73b3709dac4e7dcc97260952f1518

SHA512
565b337eed6f8f476f91f41a94f9fa29042564be70570d81c10fb759b0a16db45db580d01ad642b95b3d686c40a53f27c1e0470f4007ec776ea75542169bac05

Download Submit