hydra | 2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67

Analysis

max time kernel
149s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
07-04-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
Size

3.0MB
MD5

e5d247675ac5a1326fead1be2d22cf16
SHA1

2c384fdaa45c5496fc649ae227fa7b5e9ae3e363
SHA256

2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67
SHA512

70c8a9084ce41b0ee48e95f761ec51b870aae2c93c0a492c20b043e659d410623360ab80aafb0590792fdcc7a5efd1a8920f0ee5bd289e5eb701de5f234d4fba
SSDEEP

49152:ZZ3Fhu5v+oeX7tQ0gYZ1r6svkRQYGdHgMjVwAf6BwGf6fkPiK2pFd4MfXqiDo/Jz:ZTYtAZQ4wR7G5g4VbfOVu9FdhvWmkv

Score

10^/10

hydra banker collection discovery evasion infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

com.yifjjlyw.mbqtimw

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.yifjjlyw.mbqtimw
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yifjjlyw.mbqtimw

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&com.yifjjlyw.mbqtimw

ioc	pid	process
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip	4494	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip	4466	com.yifjjlyw.mbqtimw

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

flow	ioc
8	ip-api.com

com.yifjjlyw.mbqtimw
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4466
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4494

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes2562076101568266421.zip

Filesize
378KB

MD5
0e030f478a541ec401d1a56529d1d63f

SHA1
86e6a81d10e3f71c923c88e18b1376d241e8b69e

SHA256
545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a

SHA512
60b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd

Download Submit
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
ca464b7b9c757be391d96f538799d390

SHA1
74b10e3645ca1c0ea8ab1b8deacac38ad0f9ec6e

SHA256
40fbbc8243c0203ed20582e3df70cc642ac68b674a96c149db7119604d08f15a

SHA512
7314830a7ecb6c812e0b284c3efc3cd3f565661172549a9ca947e343d9393da6fd67d15c34f543985ed82f9236a27a5d3a2e7a1f79d77590ea751132942ffbc2

Download Submit
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
6760c9bc32517de556353c07a9e838ce

SHA1
5c45721646cea792bcb13e45300a5eeb31e8c9de

SHA256
fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9

SHA512
71c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0

Download Submit