Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    02-02-2024 21:14

General

  • Target

    8a8c858f34f3b62bcafb61154743131f.apk

  • Size

    3.1MB

  • MD5

    8a8c858f34f3b62bcafb61154743131f

  • SHA1

    16676b0251e8994c407102226163423e57c57e72

  • SHA256

    e30a471eb9b435c0bd1c0cd077b3ff78f114bd77cfe922f061b09d6a2ab34ff5

  • SHA512

    3d8e441c7293f60266aeefadb1041d479bdd892567bbf520564cc1be3c0c1d1f0458b5fdd5884674ce722d90fb352c0693bf5d8526a4411065d16f3dec2a2b57

  • SSDEEP

    98304:EajRZA0Z9v7MfyuPtK1C653DKJn7TVMwsCMe0zK:EajR/QquFKo+DM7TVMYMJzK

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.yekogrzb.jcbdtni
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4265
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4293

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/tmp-base.apk.classes6165970758493062169.zip

    Filesize

    378KB

    MD5

    859767cb841faad1c6b5dda6f946f0b7

    SHA1

    858e66dada02a8f805cb65243e31d54c1e9ee090

    SHA256

    7049bcbb1c15c3f07bfdd4cc3d8e65ba57f3ac01e8f885f0804490602ebc3e02

    SHA512

    2aa16409859a6a936cc55adebe88c62649e99617300aa274db68d0b36dc0609b3892c82b045938ad7e97a2d5988f6a8eaf0968825e33d7c5e8ff2e76b665e916

  • /data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    709c356f6484e72a1d9bfd9c12830346

    SHA1

    ea9785be5934e4721a1887a46bb520ff3c4e3f5f

    SHA256

    8811063c68d5bd7df6ce03eb5fdf1a93c84f4da43a2efe30332105ea6895b52c

    SHA512

    ef833252cdcd1689ec4f6ca3f857791d0b4512bfd3359ffbee2b32b2fba786df010c56350a36dbd1df45f936cb5a9ccc8e27f39f166271d92e76f48931fcf6ce

  • /data/user/0/com.yekogrzb.jcbdtni/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    25afe4640e72b0ff5d6ceaa273b5bae8

    SHA1

    2a79fc64efabfeab1194d53eaa3f41bfa4e6e366

    SHA256

    3083a292cda7dd3ef5ccaadef4980f63cb233cc6e6791c5ae7b14fbe3aa4daaf

    SHA512

    527445006e2bb22dca2104b8f1374d8f20ebcde76735f952fc85ac90a45039e2c3865b37513f4f5364b7d43aa10623c096f76052e0653a2caee54b00e610318e