Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

8a8c858f34...1f.apk

android-9-x86

10

8a8c858f34...1f.apk

android-10-x64

10

8a8c858f34...1f.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    02/02/2024, 21:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a8c858f34f3b62bcafb61154743131f.apk

  • Size

    3.1MB

  • MD5

    8a8c858f34f3b62bcafb61154743131f

  • SHA1

    16676b0251e8994c407102226163423e57c57e72

  • SHA256

    e30a471eb9b435c0bd1c0cd077b3ff78f114bd77cfe922f061b09d6a2ab34ff5

  • SHA512

    3d8e441c7293f60266aeefadb1041d479bdd892567bbf520564cc1be3c0c1d1f0458b5fdd5884674ce722d90fb352c0693bf5d8526a4411065d16f3dec2a2b57

  • SSDEEP

    98304:EajRZA0Z9v7MfyuPtK1C653DKJn7TVMwsCMe0zK:EajR/QquFKo+DM7TVMYMJzK

Score
10/10
hydrabankerinfostealertrojan

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.yekogrzb.jcbdtni
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4265
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4293

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
  • flag-us
    DNS
    gist.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    gist.githubusercontent.com
    IN A
    Response
    gist.githubusercontent.com
    IN A
    185.199.111.133
    gist.githubusercontent.com
    IN A
    185.199.109.133
    gist.githubusercontent.com
    IN A
    185.199.110.133
    gist.githubusercontent.com
    IN A
    185.199.108.133
  • flag-us
    GET
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    Remote address:
    185.199.111.133:443
    Request
    GET /raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json HTTP/1.1
    Authorization: dc27634c4313b2a7
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: gist.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: D9E4:0E8C:3792125:39B21BE:65BD5B41
    Accept-Ranges: bytes
    Date: Fri, 02 Feb 2024 21:14:42 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lhr7335-LHR
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1706908483.667725,VS0,VE140
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 0db5c57fe09386a9153e046ba877df0604bfd360
    Expires: Fri, 02 Feb 2024 21:19:42 GMT
    Source-Age: 0
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: dc27634c4313b2a7
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Fri, 02 Feb 2024 21:14:51 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 313
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • 185.199.111.133:443
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    tls, http
    1.2kB
     5.5kB
     10
    9

    HTTP Request

    GET https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

    HTTP Response

    404
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    451 B
     662 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 216.58.201.110:443
    tls, https
    858 B
     40 B
     1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
     8.8kB
     14
    23
  • 142.250.180.10:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
     40 B
     1
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     288 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.42
    142.250.200.10
    142.250.180.10
    142.250.187.202
    172.217.16.234
    216.58.213.10
    172.217.169.10
    216.58.212.234
    142.250.178.10
    142.250.187.234
    216.58.201.106
    216.58.204.74
    142.250.179.234

  • 1.1.1.1:53
    gist.githubusercontent.com
    dns
    72 B
     136 B
     1
    1

    DNS Request

    gist.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.109.133
    185.199.110.133
    185.199.108.133

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/tmp-base.apk.classes6165970758493062169.zip
    Filesize

    378KB

    MD5

    859767cb841faad1c6b5dda6f946f0b7

    SHA1

    858e66dada02a8f805cb65243e31d54c1e9ee090

    SHA256

    7049bcbb1c15c3f07bfdd4cc3d8e65ba57f3ac01e8f885f0804490602ebc3e02

    SHA512

    2aa16409859a6a936cc55adebe88c62649e99617300aa274db68d0b36dc0609b3892c82b045938ad7e97a2d5988f6a8eaf0968825e33d7c5e8ff2e76b665e916

    Download Submit

  • /data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    902KB

    MD5

    709c356f6484e72a1d9bfd9c12830346

    SHA1

    ea9785be5934e4721a1887a46bb520ff3c4e3f5f

    SHA256

    8811063c68d5bd7df6ce03eb5fdf1a93c84f4da43a2efe30332105ea6895b52c

    SHA512

    ef833252cdcd1689ec4f6ca3f857791d0b4512bfd3359ffbee2b32b2fba786df010c56350a36dbd1df45f936cb5a9ccc8e27f39f166271d92e76f48931fcf6ce

    Download Submit

  • /data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    902KB

    MD5

    25afe4640e72b0ff5d6ceaa273b5bae8

    SHA1

    2a79fc64efabfeab1194d53eaa3f41bfa4e6e366

    SHA256

    3083a292cda7dd3ef5ccaadef4980f63cb233cc6e6791c5ae7b14fbe3aa4daaf

    SHA512

    527445006e2bb22dca2104b8f1374d8f20ebcde76735f952fc85ac90a45039e2c3865b37513f4f5364b7d43aa10623c096f76052e0653a2caee54b00e610318e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.