Analysis

  • max time kernel
    3715264s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    06-01-2024 06:22

General

  • Target

    45830da853df876cc3e46716c7da738b.apk

  • Size

    3.2MB

  • MD5

    45830da853df876cc3e46716c7da738b

  • SHA1

    cfac92065b0d115504e008683ec792e8ddc54925

  • SHA256

    ae6f5521304808c1871efeb9168ad649aa4996c9c55909c6c3580f43203a40b1

  • SHA512

    818de822cfb48c302f40990407914d5408d261dbad23541b2c8a458917995cfd26768b142943bd552302157ad71d45c92707fa1107bbacc4db87c4dd50e24917

  • SSDEEP

    98304:iXvfTET+HggtmXEo6S/FMiwCoDkPpx3O9iEYNLrX4qzclf3W34:iXvfHm/6S95e2pRVEYe8cp3V

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.vlvkbtii.uprlqjs
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/tmp-base.apk.classes446716333415934504.zip

    Filesize

    378KB

    MD5

    276b104783ea96b740ab3f28a09d80e2

    SHA1

    e9c4caa2dc7fdb9b488d52ab16232f9b1f86bc18

    SHA256

    f9957850fd997cc6bb3da0542da4886c304eefb9c5e87401317f739591f70840

    SHA512

    7b8e82ce5ebbf75e8c803ff06be67355d5de29708307951aa26742ea397a5dc51327c6261be9378b74f7da7c52f6b93ea36b5d5fa82648d4d8ceb666adc0af08

  • /data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    7e8b652d40ac252fc7f2da2a1733261b

    SHA1

    4ed1585f038018ce5fb3b082bd2895fb57830be2

    SHA256

    fdd514bc2f3f4626ce78a3a4d957201ea7434c9069b6eafc2ebd1ae9df8d7582

    SHA512

    dc04904955f1e11fdbf7e9e9ed46597fda4289522d05665d7becf12b0333f8f0758b641aa45e58605d46f19e12623419ee71042547a23552cda5e7665393adbb

  • /data/user/0/com.vlvkbtii.uprlqjs/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    52988cc4159fb4316b4a4d95358a9226

    SHA1

    73c73627aef4c02d7c8a623f11a3cb2d2b3715f2

    SHA256

    37b84f5c6fc4587849d7152868b15492ac133643df644dca638c58453a7af5e6

    SHA512

    f59a3cc74a547db4705738e06bd76feb7fd393a19e78977627d3de9ae58e3ed4e1ef9189c850d0ea8e2bc3dcb4538abe12c9dbe5bbc0442ea10cff0076673902