hydra | a3b826de0c445f0924c50939494a26b0d99ef3ccac80faacca98673625656278

Analysis

max time kernel
2498079s
max time network
150s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 10:30

Target

a3b826de0c445f0924c50939494a26b0d99ef3ccac80faacca98673625656278.apk
Size

3.9MB
MD5

29dbb4d3b12ef397538f6bfc04005af4
SHA1

a66e0803bcd3de355c4a0bbfc8cbe37141564b89
SHA256

a3b826de0c445f0924c50939494a26b0d99ef3ccac80faacca98673625656278
SHA512

5abfd4248dc26e17b751158fa8099db65f13eb96a1194d6d2d73a0ff8ee518b346d0ccd31eca8ae59822f950b22ab0861077fcbac067c864ed812fc19ae8d544
SSDEEP

98304:KoFFYtf1csBoNed4ri6MUp28jXTzUQqMMb5hMhk3hl1pcTSyFtBUZ:KtocIi6MQj3UQqMMOk3hl1pcTSyFtqZ

Score

10^/10

Hydra payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json	family_hydra1
/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json	family_hydra2

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.almost.sign

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.almost.sign
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.almost.sign

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.almost.sign

ioc pid process

/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json 4480 com.almost.sign
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ip-api.com
Reads information about phone network operator.

ioc	pid	process
/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json	4480	com.almost.sign

flow	ioc
32	ip-api.com

com.almost.sign
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4480

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json

Filesize
1.9MB

MD5
82cd5f1eac6ecdd7bddcd9c4a98c6dd3

SHA1
47e12b219cd9a394886e7857d1d4a4b82bacb1b0

SHA256
405e53c858b168a50a97a65d45405b68a092b193fe1a140ba9b223a5a3ef7de1

SHA512
0a7d85589cf4d8ba1a5d10a91351748eafddf27744c8d4018cbc787d9b0e9de53fdd6f89e0a88520642da25290d3406d821656436c689339a39dc93dc821c134

Download Submit
/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json

Filesize
1.9MB

MD5
7c07cf97b99ddac1a620e0b05aefe41b

SHA1
c6012dbcc00f1d281fdc83f124be35832d181c20

SHA256
de7ab99446b600890440f45cf84e7ef6a9eb33ee0bdceececc1a42a7a5366e1e

SHA512
e37480d292f25fcb20126399fb7ef1294444822ef4dce182494a550ca790a88f407c86dd4c14dc08bbd816d32eb9007ef3e6e2a7e1a1e7b0a111e4220aa25a64

Download Submit
/data/user/0/com.almost.sign/app_DynamicOptDex/ZLGn.json

Filesize
5.0MB

MD5
412826ee6d6fab98a5471008a2cd1118

SHA1
17ae43b5a9128d4df9c140833bf696c42bf04ccb

SHA256
26fdc35c4216c1b7a810ac2e341630cca4b5faa92561df7c42ccb6ea408a8d7f

SHA512
8f2c5b00a730a114384f7250d2a728283909da3849bdc6f2a222891a318db520fa414ff03135afb07bf3ef44aa5af8d5efb716f1a74cf4221a5c89321d963678

Download Submit