Overview

overview

10

Static

static

6

987b17dfbb...bb.apk

android-9-x86

10

987b17dfbb...bb.apk

android-10-x64

10

987b17dfbb...bb.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    05-10-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    987b17dfbbc2f5acac96d6ce6bfff34a427ca7bcb554a469b48ac797569eb8bb.apk

  • Size

    3.7MB

  • MD5

    baba3568c8aa36079407883d3da9ec67

  • SHA1

    32e9343d81bb32e659b3e153c0584127d2558bc8

  • SHA256

    987b17dfbbc2f5acac96d6ce6bfff34a427ca7bcb554a469b48ac797569eb8bb

  • SHA512

    1a3ebe6acb0dd168c1d6eee898ec7639b12f7688623fea1165a430c7f4ca7df32f3ff582021a1dd1fd41b3be9c7a2d9a221c73d723d6437520182c0c5da434db

  • SSDEEP

    98304:9ItBpayGMSqgkCkyZgKh87ztY9fmSEB5Qw9Bs:9cBpayUqgTkwJmFfSEbs

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://cangerconger.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.heeppnxtr.ibokravhr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4235
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heeppnxtr.ibokravhr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heeppnxtr.ibokravhr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4263

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.heeppnxtr.ibokravhr/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.heeppnxtr.ibokravhr/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    00217bc3716b62280f8dcc15bb99e6a4

    SHA1

    b3b5569e10c65cb6886d3a60402d63a5835e20c5

    SHA256

    bad5935a67d2ae89b563842c638ece7b381c1c118eb3cbc10d6811fe97cbacd4

    SHA512

    e9212032b9342634c97edc531c522fbe756c58dfcb17856d083a04a9b8da05c119f0d750661bcc66b9f1a88fdb7069e50e9d32b33f3db3fed2c9e991df82f6a0

    Download Submit

  • /data/data/com.heeppnxtr.ibokravhr/cache/K03TVPnWNdU4BngpfSY8XTJwClLEuuKeLX8fTdoQ.zip
    Filesize

    66.4MB

    MD5

    d7172db8d409853fdad76ed1d9556ace

    SHA1

    7d4b380fdffeeb051461717c8dc156f3162cf168

    SHA256

    cd168775bca0186b350f1016f22839a833c39e63d46df6f93a8ea897a9c7d687

    SHA512

    8ed338e68159b6c4bdae0c247109ef88467e48b0b3be9372035c2e1ee087a9d5cfa70edf138871cca57ec6bb9e6e2064314daab03e2ed4ac04d7efe21c7b2562

    Download Submit

  • /data/data/com.heeppnxtr.ibokravhr/cache/classes.dex
    Filesize

    1.3MB

    MD5

    8fefb3a63614dc30cb576618a5de5b60

    SHA1

    4d20bd8ec25afd0672c1278300bec29cb26b484d

    SHA256

    bbaca0300e26507a5e13008f8a954143f6aa588105cee741693b1f962f8ef7f0

    SHA512

    20fce445dfdeb6512d156c59538ea663cf5bf9f0d6c75c1a2521fae156f43bda3e7219bd9c6ab16276b4a5f4c0fa11d2a6af483f9ccbc700eb4f13dd773ae837

    Download Submit

  • /data/data/com.heeppnxtr.ibokravhr/cache/classes.zip
    Filesize

    1.3MB

    MD5

    e7cbc24c8bc9a9e42bfa5d7870996204

    SHA1

    a59471f8d458c8011b4e415283f4e97736480e97

    SHA256

    bd4947adb9a8ed667c81735ef02e49832b3988a22193708ffba556cd756831ef

    SHA512

    877ee5de0480eec1f3ecc546a3b721b92882a2aa0976761eddef46d16ca6ce4e34effa674d3a3f2d9fde2e2c73ee3e46d07acef56906b12e031e5dab04ad04b1

    Download Submit

  • /data/user/0/com.heeppnxtr.ibokravhr/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    3de5d53c1e8fb37be482b18848494beb

    SHA1

    b170ae4bf472c05fa865ad19bf2150b1b533de42

    SHA256

    d63bfbb04e4026c14ac804da03068c0e6fa2f1adfc1fbca7a34276d862345699

    SHA512

    9efe6b3c4b79d76cdd725793c01b0462a21e16ce13dafdfbad6263591cb52b4ab85afa4ec2bcd29c2dd760ecb516787ff26a517182fed58c5f8ad014d6be6aeb

    Download Submit