hydra | 7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae

Analysis

max time kernel
2328155s
max time network
149s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 01:46

Target

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae.apk
Size

3.7MB
MD5

645e0e45a9f31643af73cafb6ade5229
SHA1

90ca44e4a382bb8ce2567b0606f6cd38e6b1c087
SHA256

7aea29658ad2b4aa603442ab56ff391d0d9b30f3996c8fafb6e10d50bc0ab7ae
SHA512

5cf79cc779c64d0745cf278079ad20680e6595378ece72d1496d369484f18a42ac4390ca2b8f9ed7217e1b33af4419eb9ae4dbd31776eed5152c8b0d373b8c27
SSDEEP

98304:mOHNetf++GWwfXgbSP8k38Ug55Cgy/DJ0LMheUi6LjL/:B8f9GJXBP8W8Uk5SbJ0LMcCL/

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra1
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.turkey.reject

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.turkey.reject
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.turkey.reject

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.turkey.reject

ioc pid process

/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json 4492 com.turkey.reject
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json	4492	com.turkey.reject

flow	ioc
26	ip-api.com

com.turkey.reject
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4492

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json

Filesize
1.9MB

MD5
179603d4683e87513d0bb1d702d559dc

SHA1
59901d3d0d9543ea4bdbd52840fdafbbabc05426

SHA256
2c78e9cba2f575428f88079bda50c28666497e52c6afbe2ae7e97a0762e40d13

SHA512
9daa9b27425cec4d3fb32b32708ae97c91559bc010a16885159f29de9b062fa569d87e74ce83e3cafd396dd90fe929872dd2eb827c95f8863f40d8af34ad8a80

Download Submit
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json

Filesize
1.9MB

MD5
d42ef8ff977b184464fb50a9e9de6503

SHA1
2f2e1b9f9105cd346658107ff0b96e62e823b423

SHA256
faf9a71936f7a157c666d56f81c13d2a4617198f483a6bf528752feaa026884b

SHA512
0593fb890f91a77aee4a8ba4aba58b3b5a71ed80b3a4c5df3ea7edf936c699349cb49edcfc33640f0471c870d9ac4b21c5f1d2530e0a9d27934e34ca5a1c51e9

Download Submit
/data/user/0/com.turkey.reject/app_DynamicOptDex/nr.json

Filesize
5.0MB

MD5
6ff45069ad6c726842a6215431e4057c

SHA1
b483ff6942a834895cd255ff8c17f9b81b12d042

SHA256
0472292bcc0c0ff67e181f8fefe60bba9ad48ef93f45cfb4f0a08dd09b9ef395

SHA512
4c0c3a4056430f6b82f6de379713eb44a0f91ebe3d082a0f4375d1f80641e76cad9ae11d3e060cd661e0a757e1b805c18f8d9f5629c5cc92af3727ccc1119c34

Download Submit