Malware Analysis Report

2024-10-19 12:04

Sample ID 240720-j64cnsxerb
Target 003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982.apk
SHA256 003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982

Threat Level: Known bad

The file 003d2fd8ef8fc9d4765e4bbc650ecd20ef339be94606486629c003f683cb5982.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 08:17

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 08:17

Reported

2024-07-20 08:20

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

137s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kind.collect.action

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/data/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 c0a7dacf29c9e9f071854639d5164954
SHA1 4c3c9fc69999ba2de8e6a71f053a4ec0e100ad02
SHA256 ca95045ee1976ff718c0f295c0b498d81d2df1a36bf3738aefaea071c6ed8a36
SHA512 64ad2c96c034718be62c727f8f1a4a8a6f0dba55421f8c36b0318651e514ec8161e8733b20563010080283bd1c5e91616a27c1a1ca56c95b16f05e51665c1d15

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-20 08:17

Reported

2024-07-20 08:20

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

132s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

kind.collect.action

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/user/0/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 28e0e196466ba0ae4cc5ff79a714d3fa
SHA1 d14204e3c2970a605a8ef41f9a4e3b76c1ac7e4a
SHA256 344ff9211759be3b33a4a16ac6e4eca80d6cc254a001671de8340107d6d110e4
SHA512 1a631a95ab8f09249956f097dfe05167f7cab7f75654b7ab5c61329960f079032474df922a4baba96234acef0a14bda3fdf5a2d65e4d7d5add07af45c175237c

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 08:17

Reported

2024-07-20 08:20

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

136s

Command Line

kind.collect.action

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A
N/A /data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kind.collect.action

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kind.collect.action/app_DynamicOptDex/oat/x86/xcN.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 0cf5557cbf0383fd47f1c40d3a1da83c
SHA1 ff3596f068cb5afc6cf8c0c89618c2894306a11b
SHA256 b81fc2b74dc198f8dac12b56025512400ad3ab35702fd554e21e1f2752029395
SHA512 b943d9c70aa8f10c698531b398e45a98a5c6c5dea5d5e9e22f3e2658b1b59244e3f5240d535760ebba53ca7729317c50724acf1a554d2dfc21100349e9c5bc22

/data/data/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 f07247ab92fac8e2a2bf4378351e6650
SHA1 cacf739c3fd37ec2f83c5ae7ec5f6de115f70467
SHA256 1c88a0718b8ddc9fd0de16629247306056580c41e6e6c958591c890c1bff84d9
SHA512 6f9ea9792b438d619ade10ea332f494d7274bc8e500cdb093e8599a2c46bb094843b0980eb807d153b8ee708ae7a67ee51455e15ba86497ef0e19a3eed990e51

/data/user/0/kind.collect.action/app_DynamicOptDex/xcN.json

MD5 71eac9aca85a7d7b3e6d66460c162c17
SHA1 fa668a1be1993d2002a8ef8b1ce0af1be5dba3b0
SHA256 298118d57a6c809597f674215fa897cbcbe828ad926d31947d23e1cca489088d
SHA512 92240258d41eaff30098f187efb254e76e91d32e920934da6af2a30b8e34bacef004dbeeed1a3efded54a08b24114416a71cb9459b134b9aacfaaa878af0267a

/data/data/kind.collect.action/app_DynamicOptDex/oat/xcN.json.cur.prof

MD5 b67fdb0f617112ef8afaa56036416897
SHA1 ff14bbc700f23c5cdd2b969e263e9023439c4eb9
SHA256 24763720b6af2ada829a2123a23326d4ac1768b04aac88f383c34007ad0a9221
SHA512 ef84da12adfe77876f99ded2570e8b8896f8a81a3e7ea5b30d178490b520b998560f7fdeb36abb5b9d58019ae761a35c211343176acf098ae8e6a5bcfce217a3