Analysis

  • max time kernel
    12s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    24-01-2024 07:47

General

  • Target

    71abf35b94b0ab18fe5981a0e926810b.apk

  • Size

    2.3MB

  • MD5

    71abf35b94b0ab18fe5981a0e926810b

  • SHA1

    a835759b647fea1b80762b1f3c5dcd1e99845881

  • SHA256

    c67d0e91ad9b661f5a8b3a07ec5bc46d634c88e0bfe06a908f92a39fac7b1ad4

  • SHA512

    7a73a2ceaa1319422bfc8de8efb1e2f4eaa047ddc4fe925f1ee471bd05732224e0131faf657b7d321f64342b2b6932414d9ddfa3ea43ea1b4a6bec8984e62c94

  • SSDEEP

    49152:Bm6+ezp5FbkfrGRhlXA/yU69dWEvPcXhpV1x3QY:9+ezDFCGhlA/169dv3cXpQY

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • com.biepghmse.limanqzfsfr
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    PID:4227
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.biepghmse.limanqzfsfr/app_offline/oat/x86/oighindvf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar

    Filesize

    252KB

    MD5

    f14d4be08bf720c3fc50a6e7f0f47a5d

    SHA1

    72b63780d2e13a5eff514ae2959d67fcf9b51add

    SHA256

    954a4c0d40866574fede510660b251dbac922a8c90a222e3be3e441cca9b3ce0

    SHA512

    bf6597e0a13c86cc783076fd1621b2ad3fc8fa39dfb82d902e45f3abba9e29c50853e43772ddd7a07f50a6e1f05a8023591f33343d081af25fce67f3358f6b89

  • /data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar

    Filesize

    568KB

    MD5

    ffa7f9ac0f0eeae4d3590f357327e02a

    SHA1

    8a0dd170bf799f318f4c3e433874e657399e33a0

    SHA256

    2157e87e362726c703bf33b151bbbb5f8aba1a01837f16d3a37f8323dec9b123

    SHA512

    f073cc6e1b2d43da36238e78bc8dd318fd4d0b26c52b55919144613b6daa7fa3b6723aa70a0418e2cda759c85395b7920e501ac0ec1163f5ec39a4a39d41c3d1

  • /data/user/0/com.biepghmse.limanqzfsfr/app_offline/oighindvf.jar

    Filesize

    568KB

    MD5

    6da8b1032f37ed8e7686d912a1128431

    SHA1

    1f9124e082aed0acac28187ac6bd392a3ca67d29

    SHA256

    367a700bcf4a864e4bb1c287546f37eaa84c383902272a0d037f9c0d90f75aa3

    SHA512

    4bdccdcd47ef34029f65a11435101be0774ebb015f277db23fdb4b89cecaa1ed4aa286ff3f220a2d7bd9ef855c8e52e31c595f5022fce4ed3cb5820ca635bbc1