hydra | 1437e111cfc3d76f3397bafc21a4ec81ad08d592ade86645fbbe552f61d7cfbd

Analysis

max time kernel
153s
max time network
143s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
18-04-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7c9818a25d2bbcbbf464ad5cd4da13c_JaffaCakes118.apk
Size

2.8MB
MD5

f7c9818a25d2bbcbbf464ad5cd4da13c
SHA1

35cebb81310d40329792105deb2706798a799e2c
SHA256

1437e111cfc3d76f3397bafc21a4ec81ad08d592ade86645fbbe552f61d7cfbd
SHA512

24270fc57f351a5e8eb01909c11376305b72e65d41239e5fcfb110866a1581388bccb855760b87769f3c6249b83ba73eee7ad5c1303da23752a957f2b0add5f1
SSDEEP

49152:xc9ma8/sQibfUuCltdJbTs/k+tfSuND4v8SC/mTR95ndMtDb5D2iED5sZ1dtXIaX:xcgyQib8Z7TMk8TND4vxcmTvw5DiDCfB

Score

10^/10

hydra banker collection discovery evasion infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

com.llldjydh.tpolrlz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.llldjydh.tpolrlz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.llldjydh.tpolrlz

Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.llldjydh.tpolrlz

ioc pid process

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip 5047 com.llldjydh.tpolrlz
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

ioc	pid	process
/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip	5047	com.llldjydh.tpolrlz

flow	ioc
4	ip-api.com

com.llldjydh.tpolrlz
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:5047

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.llldjydh.tpolrlz/code_cache/secondary-dexes/tmp-base.apk.classes4991936825748555765.zip

Filesize
343KB

MD5
a4a3588d014de7ba37b239e049c77285

SHA1
00c31b7ad4a8848fc258d52e15e333656cbcc228

SHA256
07bbc2aaba4b2a0c95cb7e90044fd515a78fc96d678d807034eff94630eeee06

SHA512
e0fc44be247555b1d396d73d28073587221af415b2957039e337057b969cc911593956ab80175dd55f614cafc79df7faaef22a99a8852559c83991434e71bb1c

Download Submit
/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
817KB

MD5
f63966c50ea4eed0d2ad9183b842efdd

SHA1
ff3787b8a1e285482c8f154e05c4a2b696fabb2d

SHA256
0f2017b7f0b8a662df4725742be504af37e4a9bdfe4e7abdea5f7fed5bd671ac

SHA512
c03246eb2f8d5c73fe05dd3dba966429ac96470e825bff0bc8897490aba26530fad876e78d892166d08daf8c359629272059c8b829a453a60a1ecd4605e3066f

Download Submit