Analysis
-
max time kernel
2462041s -
max time network
156s -
platform
android_x64 -
resource
android-x64-20231215-en -
resource tags
androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system -
submitted
20-12-2023 09:00
Static task
static1
Behavioral task
behavioral1
Sample
9939bea82bef38dff91be0182d26c13694dec687d1b8971bb2924076b89646f1.apk
Behavioral task
behavioral2
Sample
9939bea82bef38dff91be0182d26c13694dec687d1b8971bb2924076b89646f1.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
9939bea82bef38dff91be0182d26c13694dec687d1b8971bb2924076b89646f1.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
9939bea82bef38dff91be0182d26c13694dec687d1b8971bb2924076b89646f1.apk
-
Size
3.3MB
-
MD5
c81e236e8e7445375ee40d8e3f327873
-
SHA1
43fd1ac04a1793ceb60061c402c3f2bab67daa1c
-
SHA256
9939bea82bef38dff91be0182d26c13694dec687d1b8971bb2924076b89646f1
-
SHA512
f9a385117ca8b1c2a407c9d3e2bb24dd084b595a6e35f1be5c6526b872bdad215b2d365cb5e2b86a2abdde1b5f12adef515a1f44d78ae4a15a1de84f9fe36a48
-
SSDEEP
98304:7ML/uN7+YiIEv6gbk2f4qn3KEPi/MvxlnciASbG9Qv7JvEH:likx2l3KEPUMZ6UK9Qvtm
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/memory/4960-0.dex family_hydra1 behavioral2/memory/4960-0.dex family_hydra2 -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.weapon.fox Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.weapon.fox -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.weapon.fox/app_DynamicOptDex/WpA.json 4960 com.weapon.fox -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Reads information about phone network operator.
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5040d387a5d2e089ff270f01807791ee6
SHA166651e50bf15297333663fa27c258a2691d80599
SHA256c41f3a34e79d81596434b7ba2b59c6282d24cc99460849f4db9ef48379c153c9
SHA512f12a9fdc32ab1faf97a981d551d8d7367a31a0e75670df25fecd27e54fe33bfaf4289961b6e5d7920a69d68ebfde1f1e91dc18ed99f196ca6a1483e332627efc
-
Filesize
1KB
MD54ae451305874e45106a28774a5c992f2
SHA14edd7aa7b8b585518b8ae3212ce565325234e6d8
SHA256d7633d48b35c3d9197ec416a7f9ea9ff9479646dd58a6162bb45ca0cbe8ddecc
SHA512ee96b0b8ff48a58322ff3bffba99b871d925341100f5a19dfd0a607becbf77a17972fe17fa199f5bf96b2e27749a4e27d4fd0b3b072f4ade8afe00cbbb85a0f0
-
Filesize
5.0MB
MD50143e9febfc6d0ff7d33bfc457c46384
SHA18dc57856294c219551d9806f40f8048e04e630fe
SHA256a03aa26bbe25cf37773ed9378745a675a775c1a27c1c9c13f4eecab4117d8678
SHA512631112637bcaf70c765efe3697bd1f13dc00647829d1a6f80facce0a32054c0e83eeb5fc06b73e04f983f72effac24e6b921909f550f90e5391f995a7f47279a