Malware Analysis Report

2024-10-19 12:04

Sample ID 240801-p546ga1fmn
Target ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.bin
SHA256 ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3
Tags
hydra banker evasion infostealer trojan collection credential_access discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3

Threat Level: Known bad

The file ddf446f2164bcf6bd46af668dd245fafb3c32d7b5620bfa7577978a8ace2acc3.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker evasion infostealer trojan collection credential_access discovery persistence

Hydra

Hydra payload

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Reads information about phone network operator.

Queries information about active data network

Looks up external IP address via web service

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 12:55

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 12:55

Reported

2024-08-01 12:57

Platform

android-x86-arm-20240624-en

Max time kernel

32s

Max time network

67s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Processes

com.grand.snail

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.grand.snail/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.grand.snail/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 12:55

Reported

2024-08-01 12:59

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

175s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp

Files

/data/data/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

/data/data/com.grand.snail/app_mph_dex/oat/classes.dex.cur.prof

MD5 6ca03766bb7c4891f713a81cbc3f7bc1
SHA1 0e388cb72018d4827d366abebc030d65ee590b3b
SHA256 a70ae2169b38e25f47eb9be5d3b5316557cd7ceff70bed043d4166ace70719ee
SHA512 c8734995df1ec90ff366c7fb2fbca3079092007fc0419482fcdb3023ff51059010e38cd6c300cc800a95b50eb8bb0a754d80fe2870c4d4d6cf8f4f90d4b17cd1

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-01 12:55

Reported

2024-08-01 12:59

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

174s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.grand.snail/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp
US 1.1.1.1:53 mersintantuniad33.com udp

Files

/data/user/0/com.grand.snail/app_mph_dex/classes.dex

MD5 ccfaf0cba913b26cc3f6994cddd05549
SHA1 a4b302c886d8284187dd81123efd8039a072d119
SHA256 eed2e1a100238dbfdd57a185e36ebe34d88cf6ee739e2f740d6a5d0291ed0814
SHA512 a0d130fcb9d8558aef98171e08056914bfee6e217d91a3fc400f0cf95bf9a6c655c2698ae8323eaaee48fa29112eee2ee4d1b3456870d282e0e2ad21b094ef18

/data/user/0/com.grand.snail/app_mph_dex/oat/classes.dex.cur.prof

MD5 e830e0d66b2e8580c474c93e7b6470fa
SHA1 a609cf3b4b93e2c2d109698f1daf3df9ec22455e
SHA256 200b90ab88a33d1c8a49f298ac8e83824f738fab82e546af2fbb81b5f00bd553
SHA512 a768163b694cf3b6c2733ef076a374b9eec1218cd7f7b3da28e9a9e2e1a8b3f526d84b4faf057714ce05abd7b77a7b3fd2bca59194f49dbcc7324386dbf9e665