Overview

overview

10

Static

static

6

676252be67...30.apk

android-9-x86

10

676252be67...30.apk

android-10-x64

10

676252be67...30.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • submitted
    08-08-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    676252be67035bf42b740041865d8a902988eb32111bcf9995e5ae774c420930.apk

  • Size

    4.7MB

  • MD5

    9fc0aa2fac6d9f36c2bc26cfec8278ce

  • SHA1

    f768666ee5f2c8a197bbc95a0b8a674d919c7c08

  • SHA256

    676252be67035bf42b740041865d8a902988eb32111bcf9995e5ae774c420930

  • SHA512

    6ade9d6c32caaa03449e973b9f7e934c07b1ca84e48469cf379abfa81dcf0699b4fcf3e2f85022cd5324d256682edb0d17a768bc8f05562836a8d57588b50c15

  • SSDEEP

    98304:DEJefbQL79Az8VCvGvPEhnzKIrzj5LFnGmu3FOT:D1f4hLVCPzKIrzJu1c

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

https://gist.githubusercontent.com/olimpiamilano200/65c0969b6dc440233852de072ac97545/raw/helloworld.json

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • oppose.assist.baby
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/oppose.assist.baby/app_DynamicOptDex/bTi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/oppose.assist.baby/app_DynamicOptDex/oat/x86/bTi.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4286

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/oppose.assist.baby/app_DynamicOptDex/bTi.json
    Filesize

    3.1MB

    MD5

    ec683eb71d77ec19a2b7f62a896976a5

    SHA1

    c3f8908ebcd923895266ef85c28957a0203f9482

    SHA256

    b044b9c285319817afebd4ced88c901d7ab5c02c5e8307a6d5141c45b553a5c3

    SHA512

    9598028da31de7a4577048dd736a1297ceb1328af038049903e6ecc7d83249f0b50b805ee9c034949631e905f590e379e478916c2fc3824f1bab29e0b57abb13

    Download Submit

  • /data/data/oppose.assist.baby/app_DynamicOptDex/bTi.json
    Filesize

    3.1MB

    MD5

    9380d17837e17c235ec232c7def111ab

    SHA1

    0d10ff65ce0bccad51baa16613356d1f6206d510

    SHA256

    e06240fa53e1632d6576fac32a3d60ae099593bba6b985fbbdd5cd305ac56a66

    SHA512

    ddf5e0c4217a2b9c9f8c5e8670facc4e9622f7da063f73d8a23402d937fd72a60ac3b3d2f51bfb17ca0dd49937cdb5f57065a297956369936a0e5d4155bf3420

    Download Submit

  • /data/data/oppose.assist.baby/app_DynamicOptDex/oat/bTi.json.cur.prof
    Filesize

    590B

    MD5

    846371f26303909d9d63fc0c4eb6faa6

    SHA1

    f46b3e6e0eecee3464a3cfc5ba075b3c9dd1d7b3

    SHA256

    231e2af577fd3f8df1f7f3662824e7be6528b892bda808080ef3f0a4c5d6492c

    SHA512

    a7fea58c3a85ab6e964fcf1ac29085b716cb94b8b910e0e7669d3d73c92decf46e79465e9f32bb7d468e1efbe44166e9e0d9562dbd1c1c3d2bb14b76401d7298

    Download Submit

  • /data/user/0/oppose.assist.baby/app_DynamicOptDex/bTi.json
    Filesize

    3.1MB

    MD5

    c9ced6ab3e81d2ade55cf514f677d27b

    SHA1

    dc369490b20b8b98160a7d6c871bd80241d8ef32

    SHA256

    31412dc61ff5ae321e63b44cd62a892a207124bd4dd0344c25e6824c3c3fc779

    SHA512

    c91dcbda5d2be95c7feeea11c57358cf7aff84cb281d7ba2c46c4358e83cd7af7781fbd26dedfdb94db26547bff16a11ca2f24678b061c1fd45713ea7aace7c0

    Download Submit