Analysis
-
max time kernel
149s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
16-03-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
cea98484826ce63b72d6efce2f692273.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
cea98484826ce63b72d6efce2f692273.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
cea98484826ce63b72d6efce2f692273.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
cea98484826ce63b72d6efce2f692273.apk
-
Size
3.0MB
-
MD5
cea98484826ce63b72d6efce2f692273
-
SHA1
0630dfd3cd0bce10bbe3fd232592bba63a97c59b
-
SHA256
c404340baa0e1322364c75898e7ffefcabb660bab01979c22ebd98a502bb2310
-
SHA512
91b96d0c0c2f7ab6e298a7b48104f444e5617362a2155153545dc39e4ecda56f13d0f1709d8a6c541ee529cee6e6b82c362d25663603161521185cdee1071010
-
SSDEEP
49152:6nn2yqlmunxjxIkdREbREIr7kN7TRcBWJ0D4MTzWdW/SQJbDB4y6+Xn565O4b4Y5:6n3LkNZdFJhRcQJWqW/pJbvXkbN
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qfbpgpng.xosjjkk Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.qfbpgpng.xosjjkk -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip 4502 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip 4473 com.qfbpgpng.xosjjkk -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
-
com.qfbpgpng.xosjjkk1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4473 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4502
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/tmp-base.apk.classes520512221906241611.zip
Filesize378KB
MD5e561110f38c040bb42b9833135d483e7
SHA16fe8b80ec5454d89b8b222947b6fdd9b18df9648
SHA2563a12930596e80981b68528e787b51ebfd86135d08825f03d4a954a8badbae766
SHA51241e06731fd3081c01207cbe3f6e67c6baa2209cd39355743b28fba60b27c7c0e8dab23368854cbd848fbda46769d90ce67562d300dc5fa438afb775869f234c1
-
Filesize
902KB
MD5cc67288a688fad122e80192a45a02e74
SHA190ef24796b188fe0ee64d5b13fc8168469b4b8a8
SHA2568affe8fe2ce344175436234b97e2e50d86bd9a329e18f3e591e44e7c61a8ed00
SHA5125736eb65500a226205b5cccd82f3712ab52c9e6438d12f11909672c774bd1914d105d44f9bcd07ebb88becc1fc905660b6f4ead9ac5ab9cb2d1ec980df085094
-
Filesize
902KB
MD56d4c8d4b9b4cb486fb3dc301c70c9466
SHA1ef4f85eb783d561719cbcac03bd0f2a57f9dd118
SHA256fc85a4a2eb31593dfbbb5d379b6e0c8b91817c1c822078cffaf2718ed2bf6df1
SHA512595d04999136900d9187f0b73cf1185fe2a64a4c989c2491f7100799b4ce98c43390aa1bf12c503f98f471177364c21240eee205e9ba7be3733742d5e907d146