Analysis
-
max time kernel
149s -
max time network
143s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
08-10-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
04675e76830e6712a2003ab116aa291fe8e4215b4e7f6205545def6628d5ab0e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
04675e76830e6712a2003ab116aa291fe8e4215b4e7f6205545def6628d5ab0e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
04675e76830e6712a2003ab116aa291fe8e4215b4e7f6205545def6628d5ab0e.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
04675e76830e6712a2003ab116aa291fe8e4215b4e7f6205545def6628d5ab0e.apk
-
Size
3.7MB
-
MD5
fba336a880413566c127941e1eb45337
-
SHA1
3d9828dc84ef60fd87ccd74718434f1404ea0d61
-
SHA256
04675e76830e6712a2003ab116aa291fe8e4215b4e7f6205545def6628d5ab0e
-
SHA512
76b8cafbc4ef772d6d98df02500a1686d8d114efccf0ff443de44296b0a36ef859ac00ffe4c995fc5780a16af8c5e1b7579634d2c627fbd46a551809a3f4e3b0
-
SSDEEP
49152:HY1HFqgiKrgW7rXipJSSduOt/F12vYYnAtKT64F5Eedvq1PDpMsHgoauRSqIsZNY:4HrHrX+ivYYnAtgt7/dvqX7HJ/S9sZNY
Malware Config
Extracted
hydra
http://yahyolkayhodses.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qjsjsocck.qfllznlrp/app_dex/classes.dex 4949 com.qjsjsocck.qfllznlrp /data/user/0/com.qjsjsocck.qfllznlrp/app_dex/classes.dex 4949 com.qjsjsocck.qfllznlrp -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qjsjsocck.qfllznlrp Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.qjsjsocck.qfllznlrp -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.qjsjsocck.qfllznlrp -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qjsjsocck.qfllznlrp -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.qjsjsocck.qfllznlrp -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qjsjsocck.qfllznlrp -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.qjsjsocck.qfllznlrp -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qjsjsocck.qfllznlrp
Processes
-
com.qjsjsocck.qfllznlrp1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4949
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f9adacaa5fdb13a7cfaf59691f9d169a
SHA122581e2adc0d8157356353d5acb30f399e8f05db
SHA256dada985ae7eecc0203c6750eefb6afd3e1f5d0bee01b40f903c3187417bfd4dd
SHA5121a6efe74306e5fd89c86a33e7c492dc8879cdbc919e218bebcc560b41fa7134b7db6d38685c31c9e578ec5f4adeea2aae419dfbdfcb62c851f3c27695490441a
-
Filesize
1.3MB
MD52185a3e2c2a6b4011a1c5f46ec216f89
SHA130317b68e6fdf9e65bafb072ca5c3cb1cec3d900
SHA25688db8e364246021f80ca306a585d7fb338875ee1ab4281776165100d4072541f
SHA51227b3a26c8c6cf5a6ac3ffbf68b1cb03b830a135e17eb89649a458dc0e9bde922ee71945e36bc11a3b89e0eb5ba03762cddeca3f8ccb54803b0589e155cf997c0
-
Filesize
1.3MB
MD5ffe9ac08abe2e4521a9d92883ec76720
SHA189d03a3ea331f0de5a498c79ffda8add55d8f0e5
SHA2569758391e9fd79bc8dbe38052d755c47d0441d4841a79059349a5e788ea56b67d
SHA5126fd8e9f07c3c11e2d8375d8cd008c81386ff87afcf952cfb1a42310518bbfcc4a3b21076e4f34e63398450fd89c67ed0791570e41f4fa0d1241f267ae7db08e4