Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    16-03-2024 17:41

General

  • Target

    cea98484826ce63b72d6efce2f692273.apk

  • Size

    3.0MB

  • MD5

    cea98484826ce63b72d6efce2f692273

  • SHA1

    0630dfd3cd0bce10bbe3fd232592bba63a97c59b

  • SHA256

    c404340baa0e1322364c75898e7ffefcabb660bab01979c22ebd98a502bb2310

  • SHA512

    91b96d0c0c2f7ab6e298a7b48104f444e5617362a2155153545dc39e4ecda56f13d0f1709d8a6c541ee529cee6e6b82c362d25663603161521185cdee1071010

  • SSDEEP

    49152:6nn2yqlmunxjxIkdREbREIr7kN7TRcBWJ0D4MTzWdW/SQJbDB4y6+Xn565O4b4Y5:6n3LkNZdFJhRcQJWqW/pJbvXkbN

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator. 1 TTPs

Processes

  • com.qfbpgpng.xosjjkk
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4473
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4502

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/tmp-base.apk.classes520512221906241611.zip

    Filesize

    378KB

    MD5

    e561110f38c040bb42b9833135d483e7

    SHA1

    6fe8b80ec5454d89b8b222947b6fdd9b18df9648

    SHA256

    3a12930596e80981b68528e787b51ebfd86135d08825f03d4a954a8badbae766

    SHA512

    41e06731fd3081c01207cbe3f6e67c6baa2209cd39355743b28fba60b27c7c0e8dab23368854cbd848fbda46769d90ce67562d300dc5fa438afb775869f234c1

  • /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    cc67288a688fad122e80192a45a02e74

    SHA1

    90ef24796b188fe0ee64d5b13fc8168469b4b8a8

    SHA256

    8affe8fe2ce344175436234b97e2e50d86bd9a329e18f3e591e44e7c61a8ed00

    SHA512

    5736eb65500a226205b5cccd82f3712ab52c9e6438d12f11909672c774bd1914d105d44f9bcd07ebb88becc1fc905660b6f4ead9ac5ab9cb2d1ec980df085094

  • /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    6d4c8d4b9b4cb486fb3dc301c70c9466

    SHA1

    ef4f85eb783d561719cbcac03bd0f2a57f9dd118

    SHA256

    fc85a4a2eb31593dfbbb5d379b6e0c8b91817c1c822078cffaf2718ed2bf6df1

    SHA512

    595d04999136900d9187f0b73cf1185fe2a64a4c989c2491f7100799b4ce98c43390aa1bf12c503f98f471177364c21240eee205e9ba7be3733742d5e907d146