hydra | 7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae

Analysis

max time kernel
2373040s
max time network
154s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae.apk
Size

3.7MB
MD5

645e0e45a9f31643af73cafb6ade5229
SHA1

90ca44e4a382bb8ce2567b0606f6cd38e6b1c087
SHA256

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae
SHA512

5cf79cc779c64d0745cf278079ad20680e6595378ece72d1496d369484f18a42ac4390ca2b8f9ed7217e1b33af4419eb9ae4dbd31776eed5152c8b0d373b8c27
SSDEEP

98304:mOHNetf++GWwfXgbSP8k38Ug55Cgy/DJ0LMheUi6LjL/:B8f9GJXBP8W8Uk5SbJ0LMcCL/

Score

10^/10

hydra banker infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

Processes:

resource	yara_rule
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra1
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra2
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra1
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.turkey.reject

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.turkey.reject
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.turkey.reject

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turkey.reject/app_DynamicOptDex/oat/x86/nr.odex --compiler-filter=quicken --class-loader-context=&com.turkey.reject

ioc	pid	process
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	4279	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turkey.reject/app_DynamicOptDex/oat/x86/nr.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	4252	com.turkey.reject

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Reads information about phone network operator.

flow	ioc
9	ip-api.com

com.turkey.reject
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4252

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turkey.reject/app_DynamicOptDex/oat/x86/nr.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4279

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.turkey.reject/app_DynamicOptDex/nr.json
Filesize
1.9MB

MD5
179603d4683e87513d0bb1d702d559dc

SHA1
59901d3d0d9543ea4bdbd52840fdafbbabc05426

SHA256
2c78e9cba2f575428f88079bda50c28666497e52c6afbe2ae7e97a0762e40d13

SHA512
9daa9b27425cec4d3fb32b32708ae97c91559bc010a16885159f29de9b062fa569d87e74ce83e3cafd396dd90fe929872dd2eb827c95f8863f40d8af34ad8a80

Download Submit
/data/data/com.turkey.reject/app_DynamicOptDex/nr.json
Filesize
1.9MB

MD5
d42ef8ff977b184464fb50a9e9de6503

SHA1
2f2e1b9f9105cd346658107ff0b96e62e823b423

SHA256
faf9a71936f7a157c666d56f81c13d2a4617198f483a6bf528752feaa026884b

SHA512
0593fb890f91a77aee4a8ba4aba58b3b5a71ed80b3a4c5df3ea7edf936c699349cb49edcfc33640f0471c870d9ac4b21c5f1d2530e0a9d27934e34ca5a1c51e9

Download Submit
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json
Filesize
5.0MB

MD5
f124bb14475267946c69722946708ace

SHA1
9bbf36bf39619e023c2e72cb7ae0b8be112bea1c

SHA256
84df95dc88b8fbfbccd64997621fb95d763aa5e89ee813d6ef0bd3132383bf4c

SHA512
e9c74c55a24808cf6ef1b23cbf64fdf5a9419d27644838b4f406ce4088c5b8d1b002cbc2107c2db57727b03b24239679de75b7b880f599465cec7b470517d338

Download Submit
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json
Filesize
5.0MB

MD5
6ff45069ad6c726842a6215431e4057c

SHA1
b483ff6942a834895cd255ff8c17f9b81b12d042

SHA256
0472292bcc0c0ff67e181f8fefe60bba9ad48ef93f45cfb4f0a08dd09b9ef395

SHA512
4c0c3a4056430f6b82f6de379713eb44a0f91ebe3d082a0f4375d1f80641e76cad9ae11d3e060cd661e0a757e1b805c18f8d9f5629c5cc92af3727ccc1119c34

Download Submit