Malware Analysis Report

2024-10-19 12:02

Sample ID 240719-n2axsazbrm
Target 49251_Video_Player.apk
SHA256 003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982

Threat Level: Known bad

The file 49251_Video_Player.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Looks up external IP address via web service

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 11:53

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 11:53

Reported

2024-07-19 11:56

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

131s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kind.collect.action

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kind.collect.action/app_DynamicOptDex/oat/x86/xcN.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 71eac9aca85a7d7b3e6d66460c162c17
SHA1 fa668a1be1993d2002a8ef8b1ce0af1be5dba3b0
SHA256 298118d57a6c809597f674215fa897cbcbe828ad926d31947d23e1cca489088d
SHA512 92240258d41eaff30098f187efb254e76e91d32e920934da6af2a30b8e34bacef004dbeeed1a3efded54a08b24114416a71cb9459b134b9aacfaaa878af0267a

/data/data/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 97e35c7efe5230f6be0ec177e744ae21
SHA1 83a07bae5412c5163d9b746cb222218077ce925b
SHA256 e6f9bd17ef98387e52fb9ccd379af9580ab6158dbcceed87d007489f18424b76
SHA512 03538111b9c65067a575b31e7c40db07f12a0f4138ac108340557a5aa62c925fefcedc5ac89c04db03b1ee750fc22699807181558514f07d754918abbcc348f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 11:53

Reported

2024-07-19 11:56

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

143s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kind.collect.action

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/data/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 c0a7dacf29c9e9f071854639d5164954
SHA1 4c3c9fc69999ba2de8e6a71f053a4ec0e100ad02
SHA256 ca95045ee1976ff718c0f295c0b498d81d2df1a36bf3738aefaea071c6ed8a36
SHA512 64ad2c96c034718be62c727f8f1a4a8a6f0dba55421f8c36b0318651e514ec8161e8733b20563010080283bd1c5e91616a27c1a1ca56c95b16f05e51665c1d15

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-19 11:53

Reported

2024-07-19 11:56

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

134s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

kind.collect.action

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/user/0/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 28e0e196466ba0ae4cc5ff79a714d3fa
SHA1 d14204e3c2970a605a8ef41f9a4e3b76c1ac7e4a
SHA256 344ff9211759be3b33a4a16ac6e4eca80d6cc254a001671de8340107d6d110e4
SHA512 1a631a95ab8f09249956f097dfe05167f7cab7f75654b7ab5c61329960f079032474df922a4baba96234acef0a14bda3fdf5a2d65e4d7d5add07af45c175237c