Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    22-01-2024 04:36

General

  • Target

    6ebeb85ffe32db161606a7c53722b890.apk

  • Size

    3.0MB

  • MD5

    6ebeb85ffe32db161606a7c53722b890

  • SHA1

    dc93b4458efebbc4a15a330840f0c92359e4de95

  • SHA256

    5ce41f4ecbfa8fa2855689ec3cfc1015ccf17f00ad28fa3bd26b4b8c86c56ad9

  • SHA512

    6c89168da5662aef9e5753f802e16791668c1820971304b349f5560e829dfec272f13eb3726a4d0c0f339579b4ca006f1d4acc904513c71da69a0a4ecf7c2c69

  • SSDEEP

    49152:92UEyQygv2WCra6iKmRxdehYOE82PNSKpekboCtEQeiem9b5oZ9kw6PZzjC:92Qgv2WSa6ir8sSb6oCN5d7Pc

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.bllgeqgp.qbyoikh
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4265
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4294

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/tmp-base.apk.classes5499267511848226158.zip

    Filesize

    378KB

    MD5

    80ccafc1f828a3fe8d9307a30c7a9756

    SHA1

    53e9082aa74d71b59f353345d7855239db39c094

    SHA256

    20fa911e7822db256785a610d273d057a15c68244948de63d181f657d4aee335

    SHA512

    dd26b5af1642a871420f924ae53040b440d7cee693b7539feef6b2ddad4f48c5c17b995c5a7b2a053ca4ed4a755b12e865bfe959957fe5285b8c81ba1e3d164e

  • /data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    c6e4e50a0836907b8b835ecb4c625afe

    SHA1

    db6ab5956d76ac93220caae4e6f2027388ff0f4e

    SHA256

    0a727212bbda63bf47d700cf121712e76da1a7815236c75036f2bb6eb7132eb9

    SHA512

    db4ef195acc872adbada9d01df8e47a25a0762f9ebb13e479e09e06a5de73d39c2a217b7c3ca477195506dfdea7ec2e4a5194a300280e7dcc05dac9794c1e7d8

  • /data/user/0/com.bllgeqgp.qbyoikh/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    17b7abdbdb0fec8364a877ac363163ef

    SHA1

    7f441912fa0c46de58a1dc8de4689c72704cbead

    SHA256

    7ee911539603a426a9c80a73c176e4bb4cf483a92b89c044e36c67bb83805f29

    SHA512

    84faaae771288b17e93c2aabac17493e0f5229b00e5634b9ae2468b06553a3f44ef071db9996162f469182be93d094b862eb57ce7e4d01be7e8e14ed416ebd2d