Analysis
-
max time kernel
63s -
max time network
66s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
21-08-2024 07:26
General
-
Target
cnzjhttmkttakcgd.apk
-
Size
4.4MB
-
MD5
5724cfd1f0c5edd71f3d451e5c02cf3c
-
SHA1
2dfe37f73fc5174ed6b02c616c22ac1fd981aac8
-
SHA256
83e5822562da08cbab888ba5af84aa118c298de4fdb39fde2ac3b36492816f52
-
SHA512
389307ba8e7e0bccffea2d654f623732c9fd4b1da55567d899bb89a52766a13e8c117ec35f8ef3e634987442bc5896624b5b7279559258eef87180ef82134da0
-
SSDEEP
98304:vM+grW9YmPdveu4nvULGfQ0A/DoGLiXJqIU0vt2:vM+gK9TCzfQ0A/MGiZqt0vt2
Malware Config
Extracted
hydra
http://safiresolimetopulezdomire.xyz
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.jgzcvqwvk.jpmsegvgc1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jgzcvqwvk.jpmsegvgc/app_app_dex/ungvfof.smt --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jgzcvqwvk.jpmsegvgc/app_app_dex/oat/x86/ungvfof.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD51ff327754dec0c137bfd00a0c26faa30
SHA1b33e9bfa275a5175cfdc29174d7af577d30573f1
SHA2568714b521b90eefac5f3a02687f6f6d5fbdc1e43bb447ba7b4b6f2741edd4cfbe
SHA5126d274709c1c9dffef6892699cbbcc40bab5445916b894839199285762cf8e9a35ec194682aaf2afbc755cb94028c20720de525b655974a261957a1a709765355
-
Filesize
2.7MB
MD571dc76ccef6eb8edb166cb886040cc66
SHA143a66d1600867fc5c977e825304947713022df37
SHA256539e9fcf835f8922fb7f29fe5ce657a3cd5fb07843abe03bd30ff9576810dffc
SHA512c0049d6eb8b61aa92a0c10e945afc7c0e09c6b73b49bf4a3bc3df810d4c3675f7816e9523b2243f4c5e3e54f7189a0a2482db46f93e9fd279a51a396bcbbf606