Malware Analysis Report

2024-10-19 12:01

Sample ID 241012-1x8z8sxhlj
Target 364bfce93060133915405a4fbec989829d728f3374b36003b36f10370b33763c.bin
SHA256 364bfce93060133915405a4fbec989829d728f3374b36003b36f10370b33763c
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

364bfce93060133915405a4fbec989829d728f3374b36003b36f10370b33763c

Threat Level: Known bad

The file 364bfce93060133915405a4fbec989829d728f3374b36003b36f10370b33763c.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra family

Hydra payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the contacts stored on the device.

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Attempts to obfuscate APK file format

Looks up external IP address via web service

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries information about active data network

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 22:02

Signatures

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp

Files

/data/data/com.grand.snail/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.grand.snail/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 03ad8690954c496bee1f13e2ed1d1b74
SHA1 54665184a1d633f8c4faec5b6a7a06ab576469da
SHA256 382c0ec6f7d5b48bd8490498e0fdc32e1784b9a037464a9162895bbec93b490a
SHA512 e87992d7643b9395d01e522a4be5fb4ab99ebd85ac44da269c1471ce3ae2db08b60c7dd8796bff254005a5b4b07445721191cf1210cb09fcc6f17fe2e8c84b73

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

158s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.grand.snail

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp

Files

/data/data/com.grand.snail/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.grand.snail/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 979e106568aabc341d5ee033ea634f21
SHA1 f28731de13a03dff4bee5c37230129cae5941677
SHA256 21484897a7ace86a158777f87cbbe99bab08203801557edd34c887db49d0e912
SHA512 d3cec7d6848a45325d459c5fe2b145983c11138a078bb5d45d8a0e7e1fb5b69de530652530375df89a344f93927fb66484842cf835b26bb3e830ac1073801cbf

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-12 22:02

Reported

2024-10-12 22:05

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

159s

Command Line

com.grand.snail

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.grand.snail

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 taniyemezdoledked21.com udp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp
RU 185.125.219.11:80 taniyemezdoledked21.com tcp

Files

/data/data/com.grand.snail/app_apk/payload.apk

MD5 3baeaa766ea7f31a9147208efd957c75
SHA1 c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA256 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA512 9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

/data/data/com.grand.snail/cache/ysmxkT7LLpJMxKuMLBdf8J558FGRRUSqFTnCdI5B.zip

MD5 b0143a8a123ae2c4a1333dbf539cf03e
SHA1 bfdbc41fcf94b603f9b28171ceff82d674112e42
SHA256 9eb8a4bfd1592a589feab4537e0dad28cfd9eb3bb3a2c00d0fd1602d427118a3
SHA512 c974a2c1410a61e09f3c3a4f9d4114e90f1941f3220050dcd04e6bc74f3d4a2c3d25bb14431f665bf0ebe62dde2fa4b7045297527b7a822f77a29d3247bfbe1d