hydra | 4e20b8bf1a926e7d5b84e75c920457d9dc572ec78b9a23d1b08afcefe9b78e5c

General

Target

4e20b8bf1a926e7d5b84e75c920457d9dc572ec78b9a23d1b08afcefe9b78e5c.apk
Size

4.4MB
MD5

34d77868cbf62fda6b88a5c7b037d3f3
SHA1

00cdfeaa48544e5c6f0ba3d9329bb015e51e5972
SHA256

4e20b8bf1a926e7d5b84e75c920457d9dc572ec78b9a23d1b08afcefe9b78e5c
SHA512

c4e6e76c670d94062cedac1abfa814e2062087cc12626581c66754b642c17f5d296a5e37b546a9549f30a9a96e59daea8e2b7f86786f999b75124791f4bbcd8b
SSDEEP

98304:LCVeYx5HKqvpDRG1DMlRiQQxX/sqS1zHOrBNI:LqXHNvwp5sjzau

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

phwbin.meww.xojktruujg/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/oat/x86/OF.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json	4243	phwbin.meww.xojktruujg
/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json	4270	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/oat/x86/OF.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json	4243	phwbin.meww.xojktruujg

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

phwbin.meww.xojktruujg

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	phwbin.meww.xojktruujg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	phwbin.meww.xojktruujg

Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

phwbin.meww.xojktruujg

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo phwbin.meww.xojktruujg
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

phwbin.meww.xojktruujg

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone phwbin.meww.xojktruujg
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

phwbin.meww.xojktruujg

description ioc process

Framework service call android.app.IActivityManager.registerReceiver phwbin.meww.xojktruujg

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	phwbin.meww.xojktruujg

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	phwbin.meww.xojktruujg

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	phwbin.meww.xojktruujg

phwbin.meww.xojktruujg
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4243
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/oat/x86/OF.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4270

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json

Filesize
2.6MB

MD5
a1fe9c54a7f9befa304187869fac76da

SHA1
53908c10ecc50d1235bf7f1b292323dfc1bd858d

SHA256
96c14703d56809246c5137cc9d361bb6fe7e6844bd97efe0378473c5e1fa6e3a

SHA512
44b870e299d303d86b3fd2196e8c77124a40d3ed0e3aec9e3909874951f98485fdabc2e9866cf4d424350dccaa6809fa6021c3c97a435182d7d55918de159b6b

Download Submit
/data/data/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json

Filesize
2.6MB

MD5
db0f230a0e1a546f83769c613d986299

SHA1
50317405a49a3b257ad1b2cc5f854cafefedb80f

SHA256
8b42329687f8371c8a018fc98f0c3701670c891a7edf044b3478a0c9316818e4

SHA512
56e8f504c3e2da8a136a3db7316368325814e5fdcf09ab47442432583f5df47691bb36cb4a912f6a1bb78e0e2f61f21e805a297e6c9d591f6bb97881b0852713

Download Submit
/data/data/phwbin.meww.xojktruujg/app_DynamicOptDex/oat/OF.json.cur.prof

Filesize
482B

MD5
bc7482278f8a4d81a5a61a1648e670ed

SHA1
d22995da912b13dec171ae95fc3423ae4df6a5ff

SHA256
99cbdea62886210ddc08bd741acebea8d5bc4eb81658518d71780d9eb3e8a4db

SHA512
1163d61b1182724a87b802a45c5c1fcbcfd3a9659482f6f2c2e84175d31393fd0fda30e22e03eae3a5e6f1cb1b524ff5fd2545714d0eab50b9591013e30cf049

Download Submit
/data/user/0/phwbin.meww.xojktruujg/app_DynamicOptDex/OF.json

Filesize
2.6MB

MD5
4a9595fa82cb57f02930bf0eb007be87

SHA1
0f0f0bddb640273ed1be618a338cb9e21fec4817

SHA256
6e9a87bf94f744c8a35392ae222807fa2285bdc5174cb989faa7321552da804b

SHA512
f0f43f4743101076105d2384f209fc8c4fa88af7977c0630f91d4bab8515e58f4e924bed80a887a3a0226e830f70e3e33d07e049e71a9ffcaa3c27a03cfc7eb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads