Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
09-10-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5.apk
-
Size
1.8MB
-
MD5
6c4ec1458f53b6617f14d97ac8bfcd5d
-
SHA1
053d5419544074db3142facf22a72241f3f9976f
-
SHA256
931db39c57d99bca1248bea9a5464cf99939a223948e5f6d0e1797f55559f9d5
-
SHA512
b4141861e7e848c83325422e151042ef74b410df985135b840c0aedc4e8a35f38c2ca4133c4aa1701cd02274fdb944f95cebe199876c6fa6f76351b827a27e32
-
SSDEEP
49152:+8dtL8arLEztapFZMhFwYtIgumC3qaiWrLW92ZkbWVXFFEjO:3+MEJwHNt3qnkW9akbWVXEjO
Malware Config
Extracted
hydra
http://yolderyasibizdenizgez.net
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/memory/5099-0.dex family_hydra1 behavioral2/memory/5099-0.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.execute.six/app_DynamicOptDex/eR.json 5099 com.execute.six -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.execute.six Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.execute.six -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.execute.six -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.execute.six -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.execute.six -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.execute.six -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.execute.six -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.execute.six
Processes
-
com.execute.six1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5099
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
972KB
MD56f7b2da7c687a8fb2b1c908981da9259
SHA1fc347fbf7172c518e0924ac81ade2c28d905e4bf
SHA256505e4d47a35c31146f4bbdc68a8ec7a735e2dccac3447d659464e101c0f027bd
SHA512074d615a9d0e47999f1f337fd530281dd2bb4d1b643fa151958f6b595575a25a301967c29b51f8a5e73c2d85a812b1a47dedf9bf4b7efa8fde1ede3cb985c122
-
Filesize
972KB
MD517e670bf5e2eb47e3fd3fcd2cd3934a4
SHA1ea48d97b99b226a3c158ca74954fe46c86e029f1
SHA2569b30af575e75f4b40c797d32ceefa66315bd0a4fe33fb26c5c0ba06ee89879b3
SHA512f842015f7ef41e6744437f2f2a1fd973fc2da9897bd7f2de91bddf8226a113e522a054ab67f0b2dfde81fe0f85f5f146f3180bc7e38a9fbf0c7ea0c63b46c443
-
Filesize
1KB
MD5726fdf3fade103338e3f7d0bfc3ff5f5
SHA165ff2704fe71a5141dc1538931551bb98a5dd28c
SHA256f7fdb223b2e258e598c61f61fa49011fabf00e85e77fe5288b8fa92a7cf2c8f8
SHA512d7587d3453f5fd760c9400c4db62970394a521d55c3398b9101cf96e37c96d7f780d669b3f97f3926d8cbb7fa453f2ec0c41e7bcec5fbef171f0b3902f7d1fbc
-
Filesize
2.2MB
MD50d76d556b169cb8c1a7e961bf11d6192
SHA1863d07b234362d7b4d49b62a60336af1b5c0b404
SHA256c154ecbf77b7640c9b98b2dd0d020ea32711c1386a1bb3309bd80b24582350b3
SHA5120c51199bc3bae74821197214a01b40abcdc7a030420648336df43498da41dc44ccfcc48998e3891ee62811048acddcc22aa70f130310308f1cb91898000077d9