hydra | 931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5

General

Target

931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5.apk
Size

1.8MB
MD5

6c4ec1458f53b6617f14d97ac8bfcd5d
SHA1

053d5419544074db3142facf22a72241f3f9976f
SHA256

931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5
SHA512

b4141861e7e848c83325422e151042ef74b410df985135b840c0aedc4e8a35f38c2ca4133c4aa1701cd02274fdb944f95cebe199876c6fa6f76351b827a27e32
SSDEEP

49152:+8dtL8arLEztapFZMhFwYtIgumC3qaiWrLW92ZkbWVXFFEjO:3+MEJwHNt3qnkW9akbWVXEjO

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

hydra

C2

http://yolderyasibizdenizgez.net

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra

Hydra payload 4 IoCs

resource	yara_rule
behavioral1/memory/4275-0.dex	family_hydra1
behavioral1/memory/4275-0.dex	family_hydra2
behavioral1/memory/4249-0.dex	family_hydra1
behavioral1/memory/4249-0.dex	family_hydra2

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.execute.six/app_DynamicOptDex/eR.json	4275	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.execute.six/app_DynamicOptDex/eR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.execute.six/app_DynamicOptDex/oat/x86/eR.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.execute.six/app_DynamicOptDex/eR.json	4249	com.execute.six

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.execute.six
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.execute.six

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.execute.six

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.execute.six

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.execute.six

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.execute.six

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.execute.six

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.execute.six

com.execute.six
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.execute.six/app_DynamicOptDex/eR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.execute.six/app_DynamicOptDex/oat/x86/eR.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4275

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Foreground Persistence

1

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Foreground Persistence

1

T1541

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

1

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Protected User Data

1

T1636

Contact List

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.execute.six/app_DynamicOptDex/eR.json

Filesize
972KB

MD5
6f7b2da7c687a8fb2b1c908981da9259

SHA1
fc347fbf7172c518e0924ac81ade2c28d905e4bf

SHA256
505e4d47a35c31146f4bbdc68a8ec7a735e2dccac3447d659464e101c0f027bd

SHA512
074d615a9d0e47999f1f337fd530281dd2bb4d1b643fa151958f6b595575a25a301967c29b51f8a5e73c2d85a812b1a47dedf9bf4b7efa8fde1ede3cb985c122

Download Submit
/data/data/com.execute.six/app_DynamicOptDex/eR.json

Filesize
972KB

MD5
17e670bf5e2eb47e3fd3fcd2cd3934a4

SHA1
ea48d97b99b226a3c158ca74954fe46c86e029f1

SHA256
9b30af575e75f4b40c797d32ceefa66315bd0a4fe33fb26c5c0ba06ee89879b3

SHA512
f842015f7ef41e6744437f2f2a1fd973fc2da9897bd7f2de91bddf8226a113e522a054ab67f0b2dfde81fe0f85f5f146f3180bc7e38a9fbf0c7ea0c63b46c443

Download Submit
/data/data/com.execute.six/app_DynamicOptDex/oat/eR.json.cur.prof

Filesize
1KB

MD5
cff286776b53ba480310295481ebe505

SHA1
775901661032d880ca94e2c95d12be614b49bff4

SHA256
738c75fef10e0dbc32ee912a1882d79cedff057aa0b2e9eca5ba5f23198304ce

SHA512
abc2e24e8453dd0e2e91481cec2176909ec649c87ba2288821c5fd0524d2101ab5e218711cbe28b64f3498bf3a12686b1b5c7c9a3c3a7b99d16efb2d4cb594ef

Download Submit
/data/user/0/com.execute.six/app_DynamicOptDex/eR.json

Filesize
2.2MB

MD5
3b98bff52081cdd7bc8f995a9be169fd

SHA1
26ce38f8b81f1c7eb58e2e6ffc5f5c3803393054

SHA256
cd32f15d0d98a1c233f67752cad52b913512fee70f3db298890fdb8a00706a27

SHA512
d9bea9c41c0821da8de7430dcd5f786523936f63cd6ba0dd1924565e9354427e70e65713b8d8147d2bd4f9246a85ced31d9402c119bddb164ce4b692b65086e9

Download Submit
/data/user/0/com.execute.six/app_DynamicOptDex/eR.json

Filesize
2.2MB

MD5
0d76d556b169cb8c1a7e961bf11d6192

SHA1
863d07b234362d7b4d49b62a60336af1b5c0b404

SHA256
c154ecbf77b7640c9b98b2dd0d020ea32711c1386a1bb3309bd80b24582350b3

SHA512
0c51199bc3bae74821197214a01b40abcdc7a030420648336df43498da41dc44ccfcc48998e3891ee62811048acddcc22aa70f130310308f1cb91898000077d9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads