Analysis
-
max time kernel
2633879s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
-
submitted
23-12-2023 18:24
General
-
Target
65f49dd1523e0e28ff85f339142b6f36e36203e88ae969ef6e8fb8d3e48c171c.apk
-
Size
4.8MB
-
MD5
7e0fb2f9a44f5f0fd16b13a057073c4a
-
SHA1
a05f51771024502c146840cd976007fa53c09ed1
-
SHA256
65f49dd1523e0e28ff85f339142b6f36e36203e88ae969ef6e8fb8d3e48c171c
-
SHA512
0909a1a7d883022f6afbfab5decc3841f8a1b0d0c993fb5730656eef38ee321cae2dcdf32cf11ce3650bdf33bc96f63803a424c104358131f76a9e629c224792
-
SSDEEP
98304:RbmNnh99Cq7yEvmO4IdrC6MrUl3n46ca26tEQ6iv9L:RSRh99CCyEvmO4IdurK6a26tEQ6QZ
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads information about phone network operator.
Processes
-
fork.walk.elder1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fork.walk.elder/app_DynamicOptDex/orQR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fork.walk.elder/app_DynamicOptDex/oat/x86/orQR.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD581fd162acb8101547ac596d7d997c3f6
SHA111e96aa7e2fb5b4738b6f1843030b8a94726cd6f
SHA25604fab173d5a19ec1c34b75d2a313f542d7f1a0c7bc961ba4c61c79ca8ae34b28
SHA5125013fb3c9f9e87557819d40a510879fc3e2cfb935af9ca278fa30fb502d047b07686b9902eeb1513058b6a27b3a365bf3fda883a4904b4b998fca86af3f4c9fa
-
Filesize
2.8MB
MD545de85b6580748f906d9faf838cd921d
SHA1613828b6262d81e86d50faf276f80ff0aa4cb506
SHA25616ee8ff9501e199e184430c5203d23f2f5e0ceec89da579dc2bb0cf9c33850ab
SHA51264bc690be7856b7d9cf696403d37f601d8dbefabc454e5e3d15733cc10365d82e89758c82b398e19c7d50f08abddfc349e5a3b33b781757fe4427192c8e1374a
-
Filesize
2.8MB
MD56f038f3787e42510e4173ca1aae2e115
SHA13e97fe2e94cdde996ecac2ae167062328b78acce
SHA256326b4f05011f0638e00136b69006f19abda44f00a8bfd0a3dea710eb20e47374
SHA512754a339a52ef94427c4871f27293910353daab9cbc001ceea9406d2b8ce9efbfcaf43629395df28d6f43de4d1be4f5cc16e0b7aea9b2d749380ff210ac033120
-
Filesize
2.8MB
MD51530240b126bfa3d62b6f485b24b5ae6
SHA19423cb3ae8b6e36002c2c0ff6666131168d650c1
SHA256f7b9eb9e9242a726f157537f23db4f9eaaaf4b90f99422d4cd6b2cd048564ffd
SHA512a44b3a3459a5aabe076366429903436938a2ac7e7174e5867c751b0888cead0492ce634c969cef8b4bf24e70258f0df48344c3c2768023afd1be11496a754455