Analysis
-
max time kernel
3612304s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
31-12-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
22c6380abe1a2ff9b7d6f6d4baf252e2.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
22c6380abe1a2ff9b7d6f6d4baf252e2.apk
Behavioral task
behavioral3
Sample
22c6380abe1a2ff9b7d6f6d4baf252e2.apk
General
-
Target
22c6380abe1a2ff9b7d6f6d4baf252e2.apk
-
Size
3.3MB
-
MD5
22c6380abe1a2ff9b7d6f6d4baf252e2
-
SHA1
4226fb895d2ea02c462a6aa4965991ef08a5412f
-
SHA256
d0775b35bb8cb849d1049e9cea3d990f97bf09e908d19c93ba6ce0c184bfa668
-
SHA512
c873ac10d58390d919ff4b6ffbb216e7f8dc4cdaeb859b91f4a4d58871a63a1b831b4b0da3ac85f92882a7fe8f6231b4a9545d83e65fc17dfbf9175c8be3d73a
-
SSDEEP
98304:Jy7LJupxtNBfPDGGQ74yVpfPi0Qto94Uhb:JUdupLU7xVpfq0Mo9Fhb
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cwnjcjeo.qhmvgio Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cwnjcjeo.qhmvgio -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip 4547 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip 4518 com.cwnjcjeo.qhmvgio -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator.
Processes
-
com.cwnjcjeo.qhmvgio1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4518 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4547
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.cwnjcjeo.qhmvgio/code_cache/secondary-dexes/tmp-base.apk.classes5112229179318158115.zip
Filesize378KB
MD5bbb41e3f16e9a41311226116f4f68378
SHA17f8e4b1383c4e24366822485f1e68d45ccee9743
SHA2568f613ac1d7b740322bfaaafda39281a7f98cd7fb9dab7f219e7e2c085f7ba01f
SHA512338dbe19e39789d32a30dc144e5591bc970301f25b4b24b589e513e18b89376eee73c3267a274fa742b3f1b313eb0197d3f00907c58c3552340b664c51329caf
-
Filesize
902KB
MD5fa76eae1a30c01c0f47725a99d390f87
SHA1653386aebabc9d2f716061f4fadc3ae9e8dd79c3
SHA25652a0956e868d9c82898069996d571655c865c0e47d7d747dfaac6cd71af627e3
SHA512d84e2a59b8b7e246d2685b3ec3106eb39debcd72e39b7c39ceb021e73a6ae6888d52868286380d291127976599956b371e98e93794a82a7bee0dee795e902e90
-
Filesize
902KB
MD5e4ff3e883f1cbe3d46585418ed3191f0
SHA131ffa0303a81dd8f9f15ce06bdbf83e11de39335
SHA256a223f2fec81ef72a202f4b7705e23552066244e22422dd7ef81fe5500d77d149
SHA512cdc96212e5984a53f777377bf772480ff3aa53753dd18f4e08499aa89a28c8f58118b35e78bf05b1ae892a36d9b9af35873d0584b0764d88e2522c274f524fdb