Analysis
-
max time kernel
178s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
09-08-2024 22:18
General
-
Target
64e1823d615290a9928071ca28cef39e066a6c0acd99c4d256986a78c630f2cd.apk
-
Size
4.2MB
-
MD5
977e63b35eabcc202fa7407763517ab0
-
SHA1
dc327a30574186e2275587b0089d46e06d81a51f
-
SHA256
64e1823d615290a9928071ca28cef39e066a6c0acd99c4d256986a78c630f2cd
-
SHA512
6b66cb22ad5dbdc5e0beae65944eadd1a9628d45d84fddad06c0573079700b5d4f97703b5c71858485cc81d4ea9094f4744ff8fca613b6f1b8699ec3a41be9cd
-
SSDEEP
98304:4ZbhYxPXwoOo1Ugi+vb0EqTHikIovs4W4vjYluiP07LT3ToSFHB:YbSR7Oo1ACgEqTHwnv4vr/7nESFHB
Malware Config
Extracted
hydra
http://ggfttffygygyf6544566.cfd
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.qcqkduyta.gfsvrxtat1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qcqkduyta.gfsvrxtat/app_app_dex/igyrmrt.ovy --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.qcqkduyta.gfsvrxtat/app_app_dex/oat/x86/igyrmrt.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD50139414834ace5f135a0980f81dd4cf0
SHA18a9273f57a92fdbc4050db2b33653e60409fb8e4
SHA2562281dd716f65f9e0aa930283e8e9f98748f7e060d2a57cecba9012bf0d47cf2a
SHA51282f601d09ae862fd9df53e4b0487c5e80a1787791551e9fffe052ea885f3faee3c1f9e75df90de1fa7aad63cec0fc81da6ec8ec7489feb72182a84f3103a00b1
-
Filesize
2.7MB
MD5c5b8848d3ddb09ef901d6dd33106dedb
SHA1b6492441bc8000c84fb388eb566c76812734cc4a
SHA25665d7f71ceb52ca801201c2b65d9493465d64c60502ba4fb053d5f1c008e6ee17
SHA51208c321d60e7cf5ce800334a2a284aa43c4f1410046a1254f01dc73f014a82171ca77431c856a377ffc6ff2e32909848d28950e04c23b49fae79911b677cc4357