Analysis
-
max time kernel
147s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
22-03-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
-
Size
3.3MB
-
MD5
f350c08e3c688e6d140a374c34c0640a
-
SHA1
fcead8bc0c122135b2f4aa07b8f58916418c3c0d
-
SHA256
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092
-
SHA512
aad30d82800ec75332327405c71c563356c180c819862921e7b0f87bfa4b952a5bccb04fa1f6d5e3b78a9f0ed0ff652860e2464f14a02c31222300c50ec646d3
-
SSDEEP
49152:XNNro/+KQdPm9pdGjC76XeSZgRztdHxS5K3m/e0dpfTZS2v4mUqzZ1fNjYs+ly:XNNM3Q09yj1Xe/ztdA5Wf4TZS2p99+0
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral1/memory/4187-0.dex family_hydra1 behavioral1/memory/4187-0.dex family_hydra2 -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.enjoy.drama Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.enjoy.drama -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.enjoy.drama/app_DynamicOptDex/NdBF.json 4187 com.enjoy.drama -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.enjoy.drama -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ea2bf38a16512baa10e54f6297e84248
SHA1500a5d99279cc0a6dd04f645057727c7eb94bdf6
SHA256f08fc516cf3830b5faaff6e1f856a56b48da757a500ac5edd0f4a483842bf24a
SHA512eecd658a685a0d2e1eaa78bce822d62f152a703efcd4d04e80bfd5e6139683155ff7b2607aea45d31f5f4f8d04d900ecba16cd245a3d795a0e11dbd883a9a93d
-
Filesize
1.9MB
MD5047cf15583f3fbfe13668e5c95718b5b
SHA19e9ba3710b81ed07034f12fdd47bdedc04099856
SHA25640325c1206b886b2ed025141dc0a476e344212c4af1f8ecfae1d59d079d397c0
SHA5122b36e21933ac675404daae3d13b88476c09e6a7dacd373dd3360edaa945b7309e4c04dd0ba9baa12ea3417ac7bcf46981365d254cf9f74d10ddad5b8f93426b7
-
Filesize
1KB
MD55d169a67cd8e3186ec737a11fc1429d7
SHA1a9066b579fd48c5d365a21400ad4f3911fe4b249
SHA2569cdf7e8c2ee4e8e0aae6879ea038ddca0bc678864bdb6a41a001d071d6520c2f
SHA5125fc498ce3c4d0e3085136a82678af1c07b57d56a5b315b3dcae53d96f17770e63a7e7fefc3d29d2979756e756a76def9d4b29df85490ecb95b7e322a79af978e
-
Filesize
5.0MB
MD51fbca689947b3f4a3620380b222551cb
SHA1b517d6ce835859e728d7b0337b7e9c82790598d3
SHA256504051abea85a4a098cf5c48a82af7b1caca67f2a6cd3280c0595e29e31c6fa1
SHA5126abf5f3b6c586b29157b5511d275e3202980a35e7196a10bbc251794de6123c98dd07f54cbbce33335f0ffd10838557384fa8445203fdc2085145e906ba808aa