hydra | f3461634486f4177f1dd18f89a06ca6a8c5bdf829604c15ecda2fa51c6a88c95

General

Target

0b1c0ff2a98a57fa9ced149762b8fb9c_JaffaCakes118.apk
Size

3.0MB
MD5

0b1c0ff2a98a57fa9ced149762b8fb9c
SHA1

3b184ddb11435dcb5d3f5de724c0718d0ecfc859
SHA256

f3461634486f4177f1dd18f89a06ca6a8c5bdf829604c15ecda2fa51c6a88c95
SHA512

73f256c581cef280938a09d34ad2bd511fcec8d354d3dacb1d855ccdba15efeec97b4bdf1acd24168d57733ede7a8947b8762377f563b14c8612383838cb9963
SSDEEP

49152:YbuRuQUJjM9UhqBJbujHzieFSR+GFJnSyyNYN4of6zujiHWsWcHeX5KoIoE7bD:Yq4QUJc/buH64GWOrIWsWcH8t58

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&com.euhfotlq.fuzdajn

ioc	pid	process
/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip	4282	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip	4252	com.euhfotlq.fuzdajn

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.euhfotlq.fuzdajn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.euhfotlq.fuzdajn
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.euhfotlq.fuzdajn

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.euhfotlq.fuzdajn

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.euhfotlq.fuzdajn
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.euhfotlq.fuzdajn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.euhfotlq.fuzdajn
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.euhfotlq.fuzdajn

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.euhfotlq.fuzdajn

flow	ioc
8	ip-api.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.euhfotlq.fuzdajn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.euhfotlq.fuzdajn

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.euhfotlq.fuzdajn

com.euhfotlq.fuzdajn
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4252
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4282

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

1

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/tmp-base.apk.classes7061051845860282164.zip

Filesize
378KB

MD5
6829a0ae3f61844d0a4e57eb0df84465

SHA1
9b53d1a881df077e37741e5c8f6a6269a8b44801

SHA256
3a7313d3aa3141b4d6c1d1dd722a7b9fd7174345879279bd6ce044917232cc3f

SHA512
9bafeb54d7ca0b6146bcecc2c183cbd3d4392807c78f546027c956c19032d95e9024a091280b2099a9549863be0f5ec78b97f3e055a25f0b23b69a19c5032f59

Download Submit
/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
a42c4fb29f810d5805fb6a267ebff6c9

SHA1
7f3bbf0d77febca021b2597e22eff7741088934b

SHA256
1416f39f7507584c5d05604bf22dc8e4d0c0deee1dc64cb78dffb3c085809507

SHA512
9224a505a6220b4bff4b21be1fc280ec0b7560289d586d6c21f70833b56c4faf1f9a3094cb8473c43a559ec36de2c43e355b0368d4ae590e182b748482d5aca0

Download Submit
/data/user/0/com.euhfotlq.fuzdajn/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
0caa1a0ebd20647b4dae3bf6d7f2a19a

SHA1
c0ee2687bbaeb224141585058424613b19a10035

SHA256
f001e05266ecae0667daafb81dd948196a342f5df1f994b14b84ef0daf091df2

SHA512
b860436e0ce0ab0548129abcd23de18451719d4fe6d9228e276b1ca51658f771470379477b43442602a2dcfec08ade272143590731a37f53ff2f5c7ee4c2f91d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads