Analysis
-
max time kernel
148s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
02-09-2024 22:04
General
-
Target
738ec95889eed3395142bf0e3e554b6ca32baf09eabcffc9def60094dee1cd5b.apk
-
Size
4.6MB
-
MD5
23f0a2179914207408b88895c336d5b2
-
SHA1
675ece114e7d0613c979e812beefdfe18c1d0ae0
-
SHA256
738ec95889eed3395142bf0e3e554b6ca32baf09eabcffc9def60094dee1cd5b
-
SHA512
d1ec24c10ec25a3d7905c38ff9e8158358f4225778257933fa2dc28938beb2b579a7984370029382b96debddf2888521328e312ebae0df5db33d3e43e46126c8
-
SSDEEP
98304:HkoQIrNDB9fSJ4bhxfimngmWR9XIocBkbes82yA2M3tqMsXH0i5:H5vD7fSsxqmngmS9XI0Suptm0i5
Malware Config
Extracted
hydra
http://gghfghfhfgccfhfxgdxffg7664.cfd
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.ukshmqbya.geghegoxd1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ukshmqbya.geghegoxd/app_app_dex/tjwohel.kel --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ukshmqbya.geghegoxd/app_app_dex/oat/x86/tjwohel.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD56cabe0921700c647a7b1788d5aaa6b8e
SHA158fb420377a00797ec264b8d06925fa0018b07ac
SHA2569c518737ce3ffa01ec01b9c018c809808ada47043e90a5183c00f7b9bdef2afa
SHA512611747abff6a0eb7f0f2e856e7607f56dcc8a984daffaafb702fd6564d3495067e8e1d844006650b7a0d150b57fb421e0a9c586af83602d4ce29af2549b46a04
-
Filesize
2.7MB
MD5c006d6ae94c644f2370f481654a2bad2
SHA18d46a8f1ad72e0da9f54f382c97e9d8e62cbd7ec
SHA256407de73ec5ebf7c1b34a305e08f4a4e7cf4d5ff7dfb29de7d7c2e7a68c23bae2
SHA5129a3c532094e1e295ff34827095ed40e1cf6ef1624e8a3b120dc07a296beb70deb36f4d9501ba2ce85b263e82b374a849934d7f008bc79e4954dacf83b4b9b3b5