Analysis
-
max time kernel
3715264s -
max time network
136s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
06-01-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
45830da853df876cc3e46716c7da738b.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
45830da853df876cc3e46716c7da738b.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
45830da853df876cc3e46716c7da738b.apk
Resource
android-x64-arm64-20231215-en
Behavioral task
behavioral4
Sample
vk_dex.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral5
Sample
vk_dex.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral6
Sample
vk_dex.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
45830da853df876cc3e46716c7da738b.apk
-
Size
3.2MB
-
MD5
45830da853df876cc3e46716c7da738b
-
SHA1
cfac92065b0d115504e008683ec792e8ddc54925
-
SHA256
ae6f5521304808c1871efeb9168ad649aa4996c9c55909c6c3580f43203a40b1
-
SHA512
818de822cfb48c302f40990407914d5408d261dbad23541b2c8a458917995cfd26768b142943bd552302157ad71d45c92707fa1107bbacc4db87c4dd50e24917
-
SSDEEP
98304:iXvfTET+HggtmXEo6S/FMiwCoDkPpx3O9iEYNLrX4qzclf3W34:iXvfHm/6S95e2pRVEYe8cp3V
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.vlvkbtii.uprlqjs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.vlvkbtii.uprlqjs -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip 4291 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip 4260 com.vlvkbtii.uprlqjs -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator.
Processes
-
com.vlvkbtii.uprlqjs1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4260 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4291
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/tmp-base.apk.classes446716333415934504.zip
Filesize378KB
MD5276b104783ea96b740ab3f28a09d80e2
SHA1e9c4caa2dc7fdb9b488d52ab16232f9b1f86bc18
SHA256f9957850fd997cc6bb3da0542da4886c304eefb9c5e87401317f739591f70840
SHA5127b8e82ce5ebbf75e8c803ff06be67355d5de29708307951aa26742ea397a5dc51327c6261be9378b74f7da7c52f6b93ea36b5d5fa82648d4d8ceb666adc0af08
-
Filesize
902KB
MD57e8b652d40ac252fc7f2da2a1733261b
SHA14ed1585f038018ce5fb3b082bd2895fb57830be2
SHA256fdd514bc2f3f4626ce78a3a4d957201ea7434c9069b6eafc2ebd1ae9df8d7582
SHA512dc04904955f1e11fdbf7e9e9ed46597fda4289522d05665d7becf12b0333f8f0758b641aa45e58605d46f19e12623419ee71042547a23552cda5e7665393adbb
-
Filesize
902KB
MD552988cc4159fb4316b4a4d95358a9226
SHA173c73627aef4c02d7c8a623f11a3cb2d2b3715f2
SHA25637b84f5c6fc4587849d7152868b15492ac133643df644dca638c58453a7af5e6
SHA512f59a3cc74a547db4705738e06bd76feb7fd393a19e78977627d3de9ae58e3ed4e1ef9189c850d0ea8e2bc3dcb4538abe12c9dbe5bbc0442ea10cff0076673902