Analysis
-
max time kernel
12s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
24-01-2024 07:47
Static task
static1
Behavioral task
behavioral1
Sample
71abf35b94b0ab18fe5981a0e926810b.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
71abf35b94b0ab18fe5981a0e926810b.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
71abf35b94b0ab18fe5981a0e926810b.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
71abf35b94b0ab18fe5981a0e926810b.apk
-
Size
2.3MB
-
MD5
71abf35b94b0ab18fe5981a0e926810b
-
SHA1
a835759b647fea1b80762b1f3c5dcd1e99845881
-
SHA256
c67d0e91ad9b661f5a8b3a07ec5bc46d634c88e0bfe06a908f92a39fac7b1ad4
-
SHA512
7a73a2ceaa1319422bfc8de8efb1e2f4eaa047ddc4fe925f1ee471bd05732224e0131faf657b7d321f64342b2b6932414d9ddfa3ea43ea1b4a6bec8984e62c94
-
SSDEEP
49152:Bm6+ezp5FbkfrGRhlXA/yU69dWEvPcXhpV1x3QY:9+ezDFCGhlA/169dv3cXpQY
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.biepghmse.limanqzfsfr -
pid Process 4227 com.biepghmse.limanqzfsfr -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar 4284 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oat/x86/oighindvf.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar 4227 com.biepghmse.limanqzfsfr -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.biepghmse.limanqzfsfr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com
Processes
-
com.biepghmse.limanqzfsfr1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
PID:4227 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oat/x86/oighindvf.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4284
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5f14d4be08bf720c3fc50a6e7f0f47a5d
SHA172b63780d2e13a5eff514ae2959d67fcf9b51add
SHA256954a4c0d40866574fede510660b251dbac922a8c90a222e3be3e441cca9b3ce0
SHA512bf6597e0a13c86cc783076fd1621b2ad3fc8fa39dfb82d902e45f3abba9e29c50853e43772ddd7a07f50a6e1f05a8023591f33343d081af25fce67f3358f6b89
-
Filesize
568KB
MD5ffa7f9ac0f0eeae4d3590f357327e02a
SHA18a0dd170bf799f318f4c3e433874e657399e33a0
SHA2562157e87e362726c703bf33b151bbbb5f8aba1a01837f16d3a37f8323dec9b123
SHA512f073cc6e1b2d43da36238e78bc8dd318fd4d0b26c52b55919144613b6daa7fa3b6723aa70a0418e2cda759c85395b7920e501ac0ec1163f5ec39a4a39d41c3d1
-
Filesize
568KB
MD56da8b1032f37ed8e7686d912a1128431
SHA11f9124e082aed0acac28187ac6bd392a3ca67d29
SHA256367a700bcf4a864e4bb1c287546f37eaa84c383902272a0d037f9c0d90f75aa3
SHA5124bdccdcd47ef34029f65a11435101be0774ebb015f277db23fdb4b89cecaa1ed4aa286ff3f220a2d7bd9ef855c8e52e31c595f5022fce4ed3cb5820ca635bbc1