Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    28-02-2024 14:11

General

  • Target

    ac12c8d7db96fb5897954a28c6ab924f.apk

  • Size

    3.3MB

  • MD5

    ac12c8d7db96fb5897954a28c6ab924f

  • SHA1

    58707de8e58730efff71d4dd63cce16f01973966

  • SHA256

    fb14472165523fe133739d358f9a60d6398762fb75f6f8021bd16a58aa3b0614

  • SHA512

    91bb7e1721b5cfe0bbf9eb4e1647749a52234ef97ea7ebccfbb8eeb7738e372730e19e4d67dcb0cd77c34ddfe15a1d9eec3f194c693772dcf3e1460dd6ab1b04

  • SSDEEP

    98304:rgskdTAKH/apHSWtWAjerHpSERCk0zGo+PkF:rgVx/aRzjwJSERChacF

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator. 1 TTPs

Processes

  • com.rzzfwhaj.qwynaqj
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4281
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4310

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/tmp-base.apk.classes6833894800256519073.zip

    Filesize

    378KB

    MD5

    1bec2046cf2e445fc2108b63b979e1b8

    SHA1

    1fbce2798cc3d46dcc782e88835c3cf26f9a7c7f

    SHA256

    a18481dfd4df5266b3f388f10b32d8a54604f16c818861a944f947667adaedb5

    SHA512

    772a39241824fea18a049ea0ee1ead341b2137186da02c732a19f9c35a86423e7dd4bb9536a412970caac783b7693eed195e8c7ae463a17c68db41741642c61a

  • /data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    77aa4007545625e7ed5b28b576f5c40f

    SHA1

    0e079f251d95d43c3177dcf657e270c954e809be

    SHA256

    1b07549229cff720d595d206e5d54faeff4feb00f7027c08167670390d5ab6be

    SHA512

    fd3239d37177634c14a46bcdbf5416076e2eba9db9cd48a14608160151c5eb7edd4953e316ae2cfb8919e55a55923a7e18897dbccb04d2e9acca0d379999910e

  • /data/user/0/com.rzzfwhaj.qwynaqj/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    938da95ec22ce466428fa22ff0f9f1e0

    SHA1

    810821d9c4334b25b76ac66dc47a1d5c64484670

    SHA256

    da73bbdb8a45f3787b553e01677ca552e94b7315312e22886bb5c874c8328476

    SHA512

    21eeabcebe5b54f707a63bf3f59381ddebbeadbfb867d548b3b47b052506d5403257dc48046bb2d155061f708427baf423a2d61c49b14c6d15db77b4749b637f