Analysis
-
max time kernel
149s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
10-10-2024 22:16
General
-
Target
a85bbf79cb473caf82ff4cb4c939eb53a4ae0d4c8016d828a273d2e0c23858ff.apk
-
Size
4.2MB
-
MD5
0cb1170b2c2c11a53305ad8ccb242da6
-
SHA1
59ca7d23a622dc32cdda922e8418e357d8450704
-
SHA256
a85bbf79cb473caf82ff4cb4c939eb53a4ae0d4c8016d828a273d2e0c23858ff
-
SHA512
7434c3899081cd28c9368c84a71e867ae24868cb4f3f7037d6dc381f8c5f36740223343072848e569b33d56c086939effe7a4252180f6ed892ff2c4f1644cf54
-
SSDEEP
98304:Pkfdara30VOzrTQVUDgJmcD3JkLSoUwyYTpmvGR6cRQT:M1aryzXQlJmSuCwyYouR9s
Malware Config
Extracted
hydra
http://cabnozconmezcos.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.gelwyzfbk.ghgflxipy1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gelwyzfbk.ghgflxipy/app_app_dex/irhxrhl.hrn --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gelwyzfbk.ghgflxipy/app_app_dex/oat/x86/irhxrhl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5698d6b8fd1e3680581a6171cf931b8c2
SHA1f78a076b157d2a04ad7e9ccc5aea0dbbe951a55b
SHA2562cc1ef36bf025da092494a0b132ada489b9597c50103df469bcb22e5936d594f
SHA512a1dcd5d60e42c026626fcb9f747bc2756d7b6995a2612b5bfe78e9c25bc8a73b458202f72d29e91d938586057f415ba41645fa77ba6ca9cce34115d6c43beff9
-
Filesize
2.7MB
MD53ad963c8dadb3bddfa5fc3d16996a697
SHA11bd880696b87cb752eccab8d51d673e61aaeb343
SHA2562a55c811ebb5f677e724a88ac2fd646fb9ac493943d12d4e0b648bdfa71ab0e9
SHA512aed513976bb9356888e9b8dc0836dc594e13ef6312f7e8919befba273e0ca5c0f08ffd991e6c3dce97b6087322887eb3c7eb0cbf25b549ca4b9c182e2de801b1