Malware Analysis Report

2024-10-19 12:04

Sample ID 240417-1wslvsgf3y
Target ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.bin
SHA256 ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3
Tags
hydra banker collection evasion infostealer persistence trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3

Threat Level: Known bad

The file ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection evasion infostealer persistence trojan discovery

Hydra payload

Hydra

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Looks up external IP address via web service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 22:00

Reported

2024-04-17 22:03

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Processes

com.grand.snail

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.grand.snail/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.grand.snail/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp

Files

/data/data/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

/data/user/0/com.grand.snail/app_mph_dex/classes.dex

MD5 ac2943c98b696f9a383d607f621bad03
SHA1 9735d4e830d5b06483cca2ec7342360984e1ce43
SHA256 8111316d5aa99d6f13904a04e70b1ae191dab7ff1fc207e826da0c3b36b4276c
SHA512 6ec06215261fa90fec2288cf1764e74c88df15ae309b406ef50c4343f4daccb4b3df198c2c8f8c151ea445f8d110c22c8725534a896c3ab2642d6550e3649b08

/data/data/com.grand.snail/app_mph_dex/oat/classes.dex.cur.prof

MD5 87c69bda44b6d469b5e3268d8980ba9c
SHA1 b65c75977d3c14edb9ff6050b808ff1d06f4d838
SHA256 eae337f3b70601b069a897f183591f458ac985de3b621b491020c865e763a0aa
SHA512 626363ac4a3481992d8769a5354c9285aa1413ef5b15286fd12458450408d75fd464d15741cbfb028473f381ea24e2d163d51bc3017676e3700a728fde1a55fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 22:00

Reported

2024-04-17 22:03

Platform

android-x64-20240221-en

Max time kernel

157s

Max time network

155s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 216.58.212.202:443 tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp

Files

/data/data/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

/data/data/com.grand.snail/app_mph_dex/oat/classes.dex.cur.prof

MD5 5bc6af137fcf1ee75c4cd1d9767cc9b8
SHA1 82b4eb433e8b6586ad6f039a505f31e929c83991
SHA256 fb044aad646129f03e9e4c24fe6a297dc62a9fa69f5742e41ff579c3f35428d4
SHA512 b0845e0e9c0f6a89c6739c46719ff83b726b036c035614d95bbb763959bf29e0aa4014101e2075db8a6c727c49d31fe38f7f7201593edb63f2711c1c3b2fdef2

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 22:00

Reported

2024-04-17 22:03

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

158s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp
US 172.67.205.144:80 mersintantuniad33.com tcp

Files

/data/user/0/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

/data/user/0/com.grand.snail/app_mph_dex/oat/classes.dex.cur.prof

MD5 3811b374413ddc314dcf37cede903cde
SHA1 2a9290c57da5bba48a73473537d22fd5d02e247e
SHA256 8266e7ac72c8d76cb2bc5943d3882d3dcb764fe4b06d7e2eb208999cbc753008
SHA512 a98cdae0be6ea6323b5c838536a4fcf736559cf5040bde5e316ebb0fffce01bd91972c0a7a483702c2839898e30fdc409899d6cf4dd548aa77babd5ed6507ff7