Analysis
-
max time kernel
148s -
max time network
154s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
06-10-2024 22:06
Behavioral task
behavioral1
Sample
74aab8e0ae7d32e93b13a006fdd9cf745215ed6dbf72c7599653bfed69369efb.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
74aab8e0ae7d32e93b13a006fdd9cf745215ed6dbf72c7599653bfed69369efb.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
74aab8e0ae7d32e93b13a006fdd9cf745215ed6dbf72c7599653bfed69369efb.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
74aab8e0ae7d32e93b13a006fdd9cf745215ed6dbf72c7599653bfed69369efb.apk
-
Size
1.4MB
-
MD5
173149ab145e6fc348764312695eae99
-
SHA1
204ddb9a89368539db3d65dbff13cd4c92e34fe0
-
SHA256
74aab8e0ae7d32e93b13a006fdd9cf745215ed6dbf72c7599653bfed69369efb
-
SHA512
493dc60347de545df79de27596a3e3e7667f793fa2dea68d2969c0e082cc279e97baf8a2578713c35f5c545ebb01c71e45a4541e885e65a31fdea3d7349a0c43
-
SSDEEP
24576:OgVnyEJ6PR94Z4/JecuIi8nhBCCI3vYOh2lv4TdFGHAN:OgVnHARGZTcRi8n/6wO7TbH
Malware Config
Extracted
hydra
http://vadafoneszos.com
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.grand.snail Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.grand.snail -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.grand.snail -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.grand.snail -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.grand.snail -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.grand.snail -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.grand.snail -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.grand.snail
Processes
-
com.grand.snail1⤵
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4266
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
45.7MB
MD5a0470e0c0713133bfd2da18ec88e70a5
SHA1dbbd15c9353eed546cf2ae95217e02c0d8e7fb46
SHA2569850435dbf4b819adc3d48368ac6ab792eaccf0599c310716fc0ce93aea34f85
SHA5128a4e99d375f76151583ca149e359070b23cf0f4d4fb77c3caf73e016e9f23a5c2de5b36476737d376a97cb5fd77732ce9f7a8d1b2c9346b8de0cbbf5bf1d5dee