hydra | 83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917

Analysis

max time kernel
2350575s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 04:13

Target

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917.apk
Size

6.9MB
MD5

09c03c318ab6a1b5f201f81480de022f
SHA1

01b01d29b8b62e8152438740f8956c8a0ab730a4
SHA256

83380ae57698d2b13e0773969c68e2ea32d02ff1955be0f865cfaace62cf1917
SHA512

52ae7f63a3b91fc681f77aad31e2cde23c916394c77c354c0913ec32415847887dad8e16069a6d1036aa3c678e23922cef2d76ef6feb10b70458af6534827ce9
SSDEEP

196608:GM6ePkMV3JKPaCalpxnz2A55eHKMeW2aNyeyrMhGyNL:GM5Pp5KSCaNnz9aK8G2L

Score

10^/10

Hydra payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.rhwnanvo.prupgwg

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rhwnanvo.prupgwg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rhwnanvo.prupgwg

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.rhwnanvo.prupgwg

ioc pid process

/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8 4588 com.rhwnanvo.prupgwg
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8	4588	com.rhwnanvo.prupgwg

flow	ioc
22	ip-api.com

com.rhwnanvo.prupgwg
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4588

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/base.apk.w8jqGoI1.gu8
Filesize
7.4MB

MD5
cc32b7410f7250c0f9afeed4a489a427

SHA1
811455f73cc9aa0c4a1cbafc94d936001297a623

SHA256
8c59a4d341dd808acb09ec04793a6b37b0e516e9c19bc592df67d159829a9eab

SHA512
0f9e2498f656485f87d074379080c7146b2cae87d8bd313d18a279557a2234e6e63e5d2ff8019d52f186dbb15fb3405da0aa6e39d26954c7bcd091bac5d1f3b8

Download Submit
/data/user/0/com.rhwnanvo.prupgwg/yyitdFkqjU/Tojg7gIyjfFf7ke/tmp-base.apk.w8jqGoI3882912557799955294.gu8
Filesize
1.1MB

MD5
bb84117d3111b5fb5b48b2bf2931398a

SHA1
10f43669768083cd7454fa97403753676438c795

SHA256
77d076fe3e9304c82e0148d4660eae2f0dcb4eaf6e75fbe441b8f01bbd820130

SHA512
f6fdda7d7989e34aa1084484367548fd6cd4d96b96ca7f0b71587d801e093bb841a977b5a7b2cb11acd76fb8b7ad3e1a2ef76150cfa72c2a33378eeb34f99515

Download Submit