Analysis
-
max time kernel
179s -
max time network
175s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
01-08-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.apk
-
Size
1.2MB
-
MD5
8660acf5909d0af99d843b2e268d16ae
-
SHA1
6f7649255b1cb7950e19e8ce78dcdf33b62020d7
-
SHA256
ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3
-
SHA512
e6531e8290676614f0f46730f7bab1c3414efafef656d37d4142549b316e0df5718a8eb4211feb29f3d7b853b7968983618640fd3569dabb4c2266e85da2ff39
-
SSDEEP
24576:8FjqE4sijToAeMf2w9jrf28k434tyqtG5pbheOoeEj6+DhssEja:s4scTX9jrf2wqoj4N6s1Eja
Malware Config
Extracted
hydra
http://mersintantuniad33.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_hydra1 behavioral2/files/fstream-1.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.grand.snail/app_mph_dex/classes.dex 4924 com.grand.snail /data/user/0/com.grand.snail/app_mph_dex/classes.dex 4924 com.grand.snail -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.grand.snail Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.grand.snail -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.grand.snail -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.grand.snail -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.grand.snail -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.grand.snail -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.grand.snail -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.grand.snail
Processes
-
com.grand.snail1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4924
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ccfaf0cba913b26cc3f6994cddd05549
SHA1a4b302c886d8284187dd81123efd8039a072d119
SHA256eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18
-
Filesize
1KB
MD56ca03766bb7c4891f713a81cbc3f7bc1
SHA10e388cb72018d4827d366abebc030d65ee590b3b
SHA256a70ae2169b38e25f47eb9be5d3b5316557cd7ceff70bed043d4166ace70719ee
SHA512c8734995df1ec90ff366c7fb2fbca3079092007fc0419482fcdb3023ff51059010e38cd6c300cc800a95b50eb8bb0a754d80fe2870c4d4d6cf8f4f90d4b17cd1