Analysis

  • max time kernel
    3769115s
  • max time network
    153s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    26-12-2023 16:51

General

  • Target

    7e0fb2f9a44f5f0fd16b13a057073c4a.apk

  • Size

    4.8MB

  • MD5

    7e0fb2f9a44f5f0fd16b13a057073c4a

  • SHA1

    a05f51771024502c146840cd976007fa53c09ed1

  • SHA256

    65f49dd1523e0e28ff85f339142b6f36e36203e88ae969ef6e8fb8d3e48c171c

  • SHA512

    0909a1a7d883022f6afbfab5decc3841f8a1b0d0c993fb5730656eef38ee321cae2dcdf32cf11ce3650bdf33bc96f63803a424c104358131f76a9e629c224792

  • SSDEEP

    98304:RbmNnh99Cq7yEvmO4IdrC6MrUl3n46ca26tEQ6iv9L:RSRh99CCyEvmO4IdurK6a26tEQ6QZ

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • fork.walk.elder
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4601

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/fork.walk.elder/app_DynamicOptDex/orQR.json

    Filesize

    2.8MB

    MD5

    6f038f3787e42510e4173ca1aae2e115

    SHA1

    3e97fe2e94cdde996ecac2ae167062328b78acce

    SHA256

    326b4f05011f0638e00136b69006f19abda44f00a8bfd0a3dea710eb20e47374

    SHA512

    754a339a52ef94427c4871f27293910353daab9cbc001ceea9406d2b8ce9efbfcaf43629395df28d6f43de4d1be4f5cc16e0b7aea9b2d749380ff210ac033120