hydra | 7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae

Analysis

max time kernel
2328131s
max time network
157s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 01:46

Target

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae.apk
Size

3.7MB
MD5

645e0e45a9f31643af73cafb6ade5229
SHA1

90ca44e4a382bb8ce2567b0606f6cd38e6b1c087
SHA256

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae
SHA512

5cf79cc779c64d0745cf278079ad20680e6595378ece72d1496d369484f18a42ac4390ca2b8f9ed7217e1b33af4419eb9ae4dbd31776eed5152c8b0d373b8c27
SSDEEP

98304:mOHNetf++GWwfXgbSP8k38Ug55Cgy/DJ0LMheUi6LjL/:B8f9GJXBP8W8Uk5SbJ0LMcCL/

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra1
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.turkey.reject

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.turkey.reject
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.turkey.reject

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.turkey.reject

ioc pid process

/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json 4965 com.turkey.reject
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	4965	com.turkey.reject

flow	ioc
11	ip-api.com

com.turkey.reject
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4965

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

/data/data/com.turkey.reject/app_DynamicOptDex/nr.json

Filesize
1.9MB

MD5
179603d4683e87513d0bb1d702d559dc

SHA1
59901d3d0d9543ea4bdbd52840fdafbbabc05426

SHA256
2c78e9cba2f575428f88079bda50c28666497e52c6afbe2ae7e97a0762e40d13

SHA512
9daa9b27425cec4d3fb32b32708ae97c91559bc010a16885159f29de9b062fa569d87e74ce83e3cafd396dd90fe929872dd2eb827c95f8863f40d8af34ad8a80

Download Submit
/data/data/com.turkey.reject/app_DynamicOptDex/oat/nr.json.cur.prof

Filesize
1KB

MD5
ecde79d7c5a46c2db02197890fd8fdc5

SHA1
30af28a1a67c00055c122eb4836d5507497ed815

SHA256
d179038471132c064622ded41234a79e27f3a9cfcab526360a3fa0f4c16b9787

SHA512
9fbfd14cdda2d8bf33b746e6d3f1d356bcb33b026a1423d3cfbb56ea35aa700e1b785a24c0f02bc50e7d435627850624a4fc82198bf8cdd9c071bd6abef4bd65

Download Submit
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json

Filesize
5.0MB

MD5
6ff45069ad6c726842a6215431e4057c

SHA1
b483ff6942a834895cd255ff8c17f9b81b12d042

SHA256
0472292bcc0c0ff67e181f8fefe60bba9ad48ef93f45cfb4f0a08dd09b9ef395

SHA512
4c0c3a4056430f6b82f6de379713eb44a0f91ebe3d082a0f4375d1f80641e76cad9ae11d3e060cd661e0a757e1b805c18f8d9f5629c5cc92af3727ccc1119c34

Download Submit