Analysis
-
max time kernel
146s -
max time network
153s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
22-03-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092.apk
-
Size
3.3MB
-
MD5
f350c08e3c688e6d140a374c34c0640a
-
SHA1
fcead8bc0c122135b2f4aa07b8f58916418c3c0d
-
SHA256
b68799e9202204e52c39aa134150caf16d4a28a73ef08cbe4bb373e8b8b80092
-
SHA512
aad30d82800ec75332327405c71c563356c180c819862921e7b0f87bfa4b952a5bccb04fa1f6d5e3b78a9f0ed0ff652860e2464f14a02c31222300c50ec646d3
-
SSDEEP
49152:XNNro/+KQdPm9pdGjC76XeSZgRztdHxS5K3m/e0dpfTZS2v4mUqzZ1fNjYs+ly:XNNM3Q09yj1Xe/ztdA5Wf4TZS2p99+0
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/memory/5035-0.dex family_hydra1 behavioral2/memory/5035-0.dex family_hydra2 -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.enjoy.drama Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.enjoy.drama -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.enjoy.drama/app_DynamicOptDex/NdBF.json 5035 com.enjoy.drama -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 22 raw.githubusercontent.com 23 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com 6 raw.githubusercontent.com 7 raw.githubusercontent.com 15 raw.githubusercontent.com 21 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ea2bf38a16512baa10e54f6297e84248
SHA1500a5d99279cc0a6dd04f645057727c7eb94bdf6
SHA256f08fc516cf3830b5faaff6e1f856a56b48da757a500ac5edd0f4a483842bf24a
SHA512eecd658a685a0d2e1eaa78bce822d62f152a703efcd4d04e80bfd5e6139683155ff7b2607aea45d31f5f4f8d04d900ecba16cd245a3d795a0e11dbd883a9a93d
-
Filesize
1.9MB
MD5047cf15583f3fbfe13668e5c95718b5b
SHA19e9ba3710b81ed07034f12fdd47bdedc04099856
SHA25640325c1206b886b2ed025141dc0a476e344212c4af1f8ecfae1d59d079d397c0
SHA5122b36e21933ac675404daae3d13b88476c09e6a7dacd373dd3360edaa945b7309e4c04dd0ba9baa12ea3417ac7bcf46981365d254cf9f74d10ddad5b8f93426b7
-
Filesize
1KB
MD5773214a67af41e96d6326c3347a40eb1
SHA1bdeace59368016bb16405dafb29d23f33739fe8a
SHA2562f19eb32ccc38aff241999a91e0f2c60553df94dd2c0d8da58f84607615ed14e
SHA51211054cfabe5c52a2bdc2f991a83b3dd746f71cf795422e7fc3d7c30c998ee9bde536f9e1e89773594bf8152e7d70c9b1fe07e127ea5359244c46894f100e1fe9
-
Filesize
5.0MB
MD51fbca689947b3f4a3620380b222551cb
SHA1b517d6ce835859e728d7b0337b7e9c82790598d3
SHA256504051abea85a4a098cf5c48a82af7b1caca67f2a6cd3280c0595e29e31c6fa1
SHA5126abf5f3b6c586b29157b5511d275e3202980a35e7196a10bbc251794de6123c98dd07f54cbbce33335f0ffd10838557384fa8445203fdc2085145e906ba808aa