Analysis
-
max time kernel
149s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
05-02-2024 16:29
Static task
static1
Behavioral task
behavioral1
Sample
9277a80e4e55c8d79db6f99406c792ec.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
9277a80e4e55c8d79db6f99406c792ec.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
9277a80e4e55c8d79db6f99406c792ec.apk
Resource
android-x64-arm64-20231215-en
Behavioral task
behavioral4
Sample
vk_dex.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral5
Sample
vk_dex.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral6
Sample
vk_dex.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
9277a80e4e55c8d79db6f99406c792ec.apk
-
Size
3.2MB
-
MD5
9277a80e4e55c8d79db6f99406c792ec
-
SHA1
728b32ec63f091909af9cc7c666f651767fa31ad
-
SHA256
c4844236e849260e5bd9d1a1d548c11667bc9f7c8c645c0a36180287a4fd48a7
-
SHA512
3b35896052c6b99c64915617c11c87fbda2c73220dfd6f54beae2432189873182a3b5a32df57e42946cd82da9124541ca515b2fd5eabc3f43e428dfbe22cf307
-
SSDEEP
98304:v9lDx+hV/NkiLjTzUV1yLrXHWeVr7inm43W3w:v9xxFiLjTwc/B+nj3d
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tdqjgkem.crspygc Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tdqjgkem.crspygc -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip 4286 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip 4256 com.tdqjgkem.crspygc -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator.
Processes
-
com.tdqjgkem.crspygc1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4256 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tdqjgkem.crspygc/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4286
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.tdqjgkem.crspygc/code_cache/secondary-dexes/tmp-base.apk.classes8693074792375418623.zip
Filesize378KB
MD5b9660c0a8fe8598ec0beca55830b627a
SHA1c1ee81c75b6a6a06052fe78bd0c02d9d7a4dd244
SHA25636d7f5217ec382425f4049df1d738f62c960942840fbbd88ce671a8f63e0d15c
SHA51216bcf33a1265f6dc0033f9592173964b50b61f98cb898ab9fc781cc42694df34c47c15128053ec8684a3dd3a170af399ddb9147ecbdcdfdcfdc2e7b1829f1890
-
Filesize
902KB
MD54984424d536e4493c502471ea17b5cfb
SHA165a107f383e40132866ef55aff78afe6c74b990c
SHA256f2317c2879e17066d5015a175e6e90fdc5f351bd1a0b56a3410b63271c0efb65
SHA5128bd01edf7a79d4cb5a3504ce751be38c87ea5c89999b8d858ed137036f159fef558c6e77735fba497fee90db3e291299ea0c1b374218f1b4697aa02ad7846b3a
-
Filesize
902KB
MD5e762c5069fa471eace44ace7cc5c0262
SHA152c194a4cd957ce42514dc8cc9877d215402f9ff
SHA25685d76a884f6187d35f7dbbd202cbd98b82dc2de0cd243fbea3d423c85912ab22
SHA512792ca62836fa6d7d26b3da26ba6dea65e5aa8f9f7dfec75d676ab6b8a8ed9766048059612417dbe9f9b9d3ce45d397a0aac079d44c1f842328183743c444cb71