Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    15/10/2024, 22:02 UTC

General

  • Target

    5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71.apk

  • Size

    4.2MB

  • MD5

    81e176d7c1c6c0a0006d8e48e049b513

  • SHA1

    51a1c95841caa9151c3a83d9b0a48085213e8044

  • SHA256

    5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71

  • SHA512

    300290cc8fcad8d499657d7f04830eea47b18238335702b844e3f72cdbb622f8c4171ba982f587c0236bae05dcd0ee651348a23d12b0e58535f42c46f15bd5c7

  • SSDEEP

    98304:edthOuc+XEwAiYYuLLkAhdxyGv37Bdyk3U0At8RPB7Ct:ejY+XEwATsAgm3AcdCt

Malware Config

Extracted

Family

hydra

C2

http://aksd24j3232d32kd2j.xyz

DES_key
1
77696f6578757966

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.ipssqzaje.swwyjedec
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4310
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4336

Network

  • flag-us
    DNS
    aksd24j3232d32kd2j.xyz
    Remote address:
    1.1.1.1:53
    Request
    aksd24j3232d32kd2j.xyz
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 51a0adb9e773cb11
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 15 Oct 2024 22:02:31 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 54
    X-Rl: 42
  • 216.58.212.238:443
    tls, https
    689 B
    40 B
    1
    1
  • 216.58.212.238:443
    tls, https
    689 B
    40 B
    1
    1
  • 216.58.212.238:443
    tls, https
    689 B
    40 B
    1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    3.4kB
    7.7kB
    14
    18
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    451 B
    638 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 172.217.16.228:80
    312 B
    6
  • 172.217.16.228:443
    tls
    135 B
    40 B
    2
    1
  • 142.250.200.35:80
    312 B
    6
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    aksd24j3232d32kd2j.xyz
    dns
    68 B
    133 B
    1
    1

    DNS Request

    aksd24j3232d32kd2j.xyz

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ipssqzaje.swwyjedec/app_dex/classes.dex

    Filesize

    2.7MB

    MD5

    87c1b42e3dae5687135a459667d76661

    SHA1

    a6df56f070c6fe69e8fedd227f9c3cb47eb0bccc

    SHA256

    10bcdd0529a5723c1e616c499d3bb6d8749772107c6ee595b564ec0ce717b941

    SHA512

    f1ee7ef61da813662f1adf96ad184f5c47fc96dae2b3c833af64c97d746ad8f3e969aedbcb3cb78cd6898b0eb40290150007264b7d230923ed2d0eb51ba069fa

  • /data/data/com.ipssqzaje.swwyjedec/cache/classes.dex

    Filesize

    1.3MB

    MD5

    a3152cf7b43dd245a8a70238c6d737f6

    SHA1

    b20317b978a177c7be22d04809acd11958932331

    SHA256

    598d4a459124682eb40cbfdbfc6c4a5003208ac5e0d772cbd114c25ca3e2c573

    SHA512

    765a72ec266d1e90214095dbdcb2480aaeb288ba9294da1ba0672846c77ac0909fd2656759ea60446e59f9209a51ac459e692ef6229a7c16677a5f84211d013d

  • /data/data/com.ipssqzaje.swwyjedec/cache/classes.zip

    Filesize

    1.3MB

    MD5

    6892e3128dc58016555e325eca1361e4

    SHA1

    3ee07286d7720fd94023a1185ad008d035e36b36

    SHA256

    1126d5d5637a9cdc01197605acfcbd25eea179662f08df78bc0142bd24b93b87

    SHA512

    6195e980d7d5df6bb0c26880e386680bbde0e6e5c0227fcc0b23cc73f45fcbd76bd27fd72073d311f5ee55758be7aa643f46195039c44f21fdc608b992c69a3d

  • /data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex

    Filesize

    2.7MB

    MD5

    9b3f974e90751ed97fa08fb987a5e83e

    SHA1

    5018ee59d81ab965097196efb1606641acc69b38

    SHA256

    2d682a35a7452f00abb33e46384d5bf32ab0a90ff9fd14d654d8573e398a3f97

    SHA512

    66ef8e8462aa5f6bde55a17f8f5bcd3566599945b3861e4e2019c3deaae89825cfeed6ac6cb2533ec524e837ef876e1ff809816b40544c7ec14a1c3cae6620f0

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.