Analysis

  • max time kernel
    3612304s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    31-12-2023 01:21

General

  • Target

    22c6380abe1a2ff9b7d6f6d4baf252e2.apk

  • Size

    3.3MB

  • MD5

    22c6380abe1a2ff9b7d6f6d4baf252e2

  • SHA1

    4226fb895d2ea02c462a6aa4965991ef08a5412f

  • SHA256

    d0775b35bb8cb849d1049e9cea3d990f97bf09e908d19c93ba6ce0c184bfa668

  • SHA512

    c873ac10d58390d919ff4b6ffbb216e7f8dc4cdaeb859b91f4a4d58871a63a1b831b4b0da3ac85f92882a7fe8f6231b4a9545d83e65fc17dfbf9175c8be3d73a

  • SSDEEP

    98304:Jy7LJupxtNBfPDGGQ74yVpfPi0Qto94Uhb:JUdupLU7xVpfq0Mo9Fhb

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.cwnjcjeo.qhmvgio
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4518
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4547

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/tmp-base.apk.classes5112229179318158115.zip

    Filesize

    378KB

    MD5

    bbb41e3f16e9a41311226116f4f68378

    SHA1

    7f8e4b1383c4e24366822485f1e68d45ccee9743

    SHA256

    8f613ac1d7b740322bfaaafda39281a7f98cd7fb9dab7f219e7e2c085f7ba01f

    SHA512

    338dbe19e39789d32a30dc144e5591bc970301f25b4b24b589e513e18b89376eee73c3267a274fa742b3f1b313eb0197d3f00907c58c3552340b664c51329caf

  • /data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    fa76eae1a30c01c0f47725a99d390f87

    SHA1

    653386aebabc9d2f716061f4fadc3ae9e8dd79c3

    SHA256

    52a0956e868d9c82898069996d571655c865c0e47d7d747dfaac6cd71af627e3

    SHA512

    d84e2a59b8b7e246d2685b3ec3106eb39debcd72e39b7c39ceb021e73a6ae6888d52868286380d291127976599956b371e98e93794a82a7bee0dee795e902e90

  • /data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    e4ff3e883f1cbe3d46585418ed3191f0

    SHA1

    31ffa0303a81dd8f9f15ce06bdbf83e11de39335

    SHA256

    a223f2fec81ef72a202f4b7705e23552066244e22422dd7ef81fe5500d77d149

    SHA512

    cdc96212e5984a53f777377bf772480ff3aa53753dd18f4e08499aa89a28c8f58118b35e78bf05b1ae892a36d9b9af35873d0584b0764d88e2522c274f524fdb