Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    05-02-2024 16:29

General

  • Target

    9277a80e4e55c8d79db6f99406c792ec.apk

  • Size

    3.2MB

  • MD5

    9277a80e4e55c8d79db6f99406c792ec

  • SHA1

    728b32ec63f091909af9cc7c666f651767fa31ad

  • SHA256

    c4844236e849260e5bd9d1a1d548c11667bc9f7c8c645c0a36180287a4fd48a7

  • SHA512

    3b35896052c6b99c64915617c11c87fbda2c73220dfd6f54beae2432189873182a3b5a32df57e42946cd82da9124541ca515b2fd5eabc3f43e428dfbe22cf307

  • SSDEEP

    98304:v9lDx+hV/NkiLjTzUV1yLrXHWeVr7inm43W3w:v9xxFiLjTwc/B+nj3d

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator.

Processes

  • com.tdqjgkem.crspygc
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4286

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tdqjgkem.crspygc/code_cache/secondary-dexes/tmp-base.apk.classes8693074792375418623.zip

    Filesize

    378KB

    MD5

    b9660c0a8fe8598ec0beca55830b627a

    SHA1

    c1ee81c75b6a6a06052fe78bd0c02d9d7a4dd244

    SHA256

    36d7f5217ec382425f4049df1d738f62c960942840fbbd88ce671a8f63e0d15c

    SHA512

    16bcf33a1265f6dc0033f9592173964b50b61f98cb898ab9fc781cc42694df34c47c15128053ec8684a3dd3a170af399ddb9147ecbdcdfdcfdc2e7b1829f1890

  • /data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    4984424d536e4493c502471ea17b5cfb

    SHA1

    65a107f383e40132866ef55aff78afe6c74b990c

    SHA256

    f2317c2879e17066d5015a175e6e90fdc5f351bd1a0b56a3410b63271c0efb65

    SHA512

    8bd01edf7a79d4cb5a3504ce751be38c87ea5c89999b8d858ed137036f159fef558c6e77735fba497fee90db3e291299ea0c1b374218f1b4697aa02ad7846b3a

  • /data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    e762c5069fa471eace44ace7cc5c0262

    SHA1

    52c194a4cd957ce42514dc8cc9877d215402f9ff

    SHA256

    85d76a884f6187d35f7dbbd202cbd98b82dc2de0cd243fbea3d423c85912ab22

    SHA512

    792ca62836fa6d7d26b3da26ba6dea65e5aa8f9f7dfec75d676ab6b8a8ed9766048059612417dbe9f9b9d3ce45d397a0aac079d44c1f842328183743c444cb71