Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
12-10-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d.apk
-
Size
4.9MB
-
MD5
c32c9917cd24a4bf07e3eeebdf58337c
-
SHA1
096f4f0050569d0420452e576728d3ae5ee0c245
-
SHA256
f814b6716eaecf680e3f905c7670a96954774606d5be1c2d3fc051636f65e04d
-
SHA512
c5d3157a85d2e3358ee5a2238316873baa30632964697dca97ab13817ef583891b8fe51bcce102ed2e55e2d020c5c9ea183f0ffebd5a5e182b0d1df3e6570f88
-
SSDEEP
98304:HWrQ5w03ftD32h+5RHVPK/x6DYV2B/i0fiRIAr9jMj7+nCPhEXxk:7G03f932hYPK/x68MB/i9245Mo4EXxk
Malware Config
Extracted
hydra
http://taniyemezdoledked21.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
Processes:
resource yara_rule /data/data/com.wrvtxgtyw.smummwdba/app_dex/classes.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.wrvtxgtyw.smummwdbaioc pid process /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex 4310 com.wrvtxgtyw.smummwdba /data/user/0/com.wrvtxgtyw.smummwdba/app_dex/classes.dex 4310 com.wrvtxgtyw.smummwdba -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wrvtxgtyw.smummwdba Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wrvtxgtyw.smummwdba -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process URI accessed for read content://com.android.contacts/contacts com.wrvtxgtyw.smummwdba -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.wrvtxgtyw.smummwdba -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.wrvtxgtyw.smummwdbaioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wrvtxgtyw.smummwdba -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wrvtxgtyw.smummwdba -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.wrvtxgtyw.smummwdba -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.wrvtxgtyw.smummwdbadescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.wrvtxgtyw.smummwdba
Processes
-
com.wrvtxgtyw.smummwdba1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4310
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
2.7MB
MD5bc2ffcc90c77b5e669be3051afa3ad98
SHA1cd451b97de257c43ee7ca3b78a3d3ef62003baf2
SHA256ebea12e284a0209754ac3ad54db9f97296e1d8fc84d4f56ea1230e31520d9cc8
SHA51200a27ef1399b7efd333cca7fcd17b2eb49f67b8adb0bebba54c4ecf9164a619258bd417579a4f7a86fc7d74f6881d1324a9a68fc28cbc5380a31a1a618d6df59
-
Filesize
1.3MB
MD50ea51d3dc91a966d6c9a2e311ad47e9b
SHA1f9ac13d2acdd6073ad94bfcc5d34095f30f200f2
SHA25683619b12444677c6ea30ae0dea665b56f982139d2c53c1397f149e09e2b15dbc
SHA5128f069b2785cfeb76878782c719969d9b19350360f1095886195906487a3e7c7d6abe946c8ff773b727af367c33849fdd07b28eacd90573680c9417d662185cc9
-
Filesize
1.3MB
MD54890922ecde189d6686c1e3c50fa37e0
SHA14364f994f0f90e68e4450a01be0ac1b4fe9fd306
SHA2565ae390c8de96ab86e363dd250c55223e92760bb5f6fd54b1d3b1fdb1ce17ff88
SHA51221fba657e721c8283141d111e66ea7941105e29cc5042f93135b90c0c3849df617ec6a71e6ec025fcef89a8b4849ebc0a2faf666c0a53fe97f8d10fa2affcf3c
-
Filesize
18.2MB
MD53fecb8a5828fe074f90663f62ede7d4a
SHA1558ec382bd9d406388a3216eeee8fc08a12f8387
SHA2564f7f7f720436488ffe88e7d455327c0ccf7bf61dab7f8c18b5c58af7981da3f5
SHA5123946067e28483687a98c4a329869ffc336be01a51f79f6e04ea85fe13d8d37a0a9df4fd037229a2e97b344ba5b3752978797bda527850f5f6e667847ffc52c40