hydra | 2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67

Analysis

max time kernel
149s
max time network
136s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
07-04-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
Size

3.0MB
MD5

e5d247675ac5a1326fead1be2d22cf16
SHA1

2c384fdaa45c5496fc649ae227fa7b5e9ae3e363
SHA256

2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67
SHA512

70c8a9084ce41b0ee48e95f761ec51b870aae2c93c0a492c20b043e659d410623360ab80aafb0590792fdcc7a5efd1a8920f0ee5bd289e5eb701de5f234d4fba
SSDEEP

49152:ZZ3Fhu5v+oeX7tQ0gYZ1r6svkRQYGdHgMjVwAf6BwGf6fkPiK2pFd4MfXqiDo/Jz:ZTYtAZQ4wR7G5g4VbfOVu9FdhvWmkv

Score

10^/10

hydra banker collection discovery evasion infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

com.yifjjlyw.mbqtimw

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yifjjlyw.mbqtimw
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.yifjjlyw.mbqtimw

Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.yifjjlyw.mbqtimw

ioc pid process

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip 5091 com.yifjjlyw.mbqtimw
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

ioc	pid	process
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip	5091	com.yifjjlyw.mbqtimw

flow	ioc
11	ip-api.com

com.yifjjlyw.mbqtimw
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:5091

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes8499293441533632741.zip

Filesize
378KB

MD5
0e030f478a541ec401d1a56529d1d63f

SHA1
86e6a81d10e3f71c923c88e18b1376d241e8b69e

SHA256
545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a

SHA512
60b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd

Download Submit
/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
6760c9bc32517de556353c07a9e838ce

SHA1
5c45721646cea792bcb13e45300a5eeb31e8c9de

SHA256
fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9

SHA512
71c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0

Download Submit