Analysis
-
max time kernel
149s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
28-02-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
ac12c8d7db96fb5897954a28c6ab924f.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
ac12c8d7db96fb5897954a28c6ab924f.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
ac12c8d7db96fb5897954a28c6ab924f.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
ac12c8d7db96fb5897954a28c6ab924f.apk
-
Size
3.3MB
-
MD5
ac12c8d7db96fb5897954a28c6ab924f
-
SHA1
58707de8e58730efff71d4dd63cce16f01973966
-
SHA256
fb14472165523fe133739d358f9a60d6398762fb75f6f8021bd16a58aa3b0614
-
SHA512
91bb7e1721b5cfe0bbf9eb4e1647749a52234ef97ea7ebccfbb8eeb7738e372730e19e4d67dcb0cd77c34ddfe15a1d9eec3f194c693772dcf3e1460dd6ab1b04
-
SSDEEP
98304:rgskdTAKH/apHSWtWAjerHpSERCk0zGo+PkF:rgVx/aRzjwJSERChacF
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.rzzfwhaj.qwynaqj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.rzzfwhaj.qwynaqj -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip 4310 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip 4281 com.rzzfwhaj.qwynaqj -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
-
com.rzzfwhaj.qwynaqj1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4281 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4310
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/tmp-base.apk.classes6833894800256519073.zip
Filesize378KB
MD51bec2046cf2e445fc2108b63b979e1b8
SHA11fbce2798cc3d46dcc782e88835c3cf26f9a7c7f
SHA256a18481dfd4df5266b3f388f10b32d8a54604f16c818861a944f947667adaedb5
SHA512772a39241824fea18a049ea0ee1ead341b2137186da02c732a19f9c35a86423e7dd4bb9536a412970caac783b7693eed195e8c7ae463a17c68db41741642c61a
-
Filesize
902KB
MD577aa4007545625e7ed5b28b576f5c40f
SHA10e079f251d95d43c3177dcf657e270c954e809be
SHA2561b07549229cff720d595d206e5d54faeff4feb00f7027c08167670390d5ab6be
SHA512fd3239d37177634c14a46bcdbf5416076e2eba9db9cd48a14608160151c5eb7edd4953e316ae2cfb8919e55a55923a7e18897dbccb04d2e9acca0d379999910e
-
Filesize
902KB
MD5938da95ec22ce466428fa22ff0f9f1e0
SHA1810821d9c4334b25b76ac66dc47a1d5c64484670
SHA256da73bbdb8a45f3787b553e01677ca552e94b7315312e22886bb5c874c8328476
SHA51221eeabcebe5b54f707a63bf3f59381ddebbeadbfb867d548b3b47b052506d5403257dc48046bb2d155061f708427baf423a2d61c49b14c6d15db77b4749b637f