hydra | 83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917

Analysis

max time kernel
2350577s
max time network
153s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 04:13

Target

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917.apk
Size

6.9MB
MD5

09c03c318ab6a1b5f201f81480de022f
SHA1

01b01d29b8b62e8152438740f8956c8a0ab730a4
SHA256

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917
SHA512

52ae7f63a3b91fc681f77aad31e2cde23c916394c77c354c0913ec32415847887dad8e16069a6d1036aa3c678e23922cef2d76ef6feb10b70458af6534827ce9
SSDEEP

196608:GM6ePkMV3JKPaCalpxnz2A55eHKMeW2aNyeyrMhGyNL:GM5Pp5KSCaNnz9aK8G2L

Score

10^/10

Hydra payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.rhwnanvo.prupgwg

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rhwnanvo.prupgwg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rhwnanvo.prupgwg

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.rhwnanvo.prupgwg

ioc pid process

/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8 4983 com.rhwnanvo.prupgwg
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	4983	com.rhwnanvo.prupgwg

flow	ioc
11	ip-api.com

com.rhwnanvo.prupgwg
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4983

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

/data/data/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/tmp-base.apk.w8jqGoI3591272316912337273.gu8
Filesize
1.8MB

MD5
38645f9fb85938ddda82989512d96aa8

SHA1
eae7b23f8af9d6af893c38a0740b41f2ef645ac5

SHA256
f238163d21eaae3c175caf7be6643c47d29a2dbd9020d4ea9d0641afab0ccbca

SHA512
68917337484ad4418791eb0679b7500a3fd0b5d45be0fc0d33abaac91a533ec8533d94dc3a6dbda4c36983c891c9ac5a95e84c27e97a318e2bbd38e42ea4d813

Download Submit
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8
Filesize
7.4MB

MD5
cc32b7410f7250c0f9afeed4a489a427

SHA1
811455f73cc9aa0c4a1cbafc94d936001297a623

SHA256
8c59a4d341dd808acb09ec04793a6b37b0e516e9c19bc592df67d159829a9eab

SHA512
0f9e2498f656485f87d074379080c7146b2cae87d8bd313d18a279557a2234e6e63e5d2ff8019d52f186dbb15fb3405da0aa6e39d26954c7bcd091bac5d1f3b8

Download Submit