Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
15-10-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71.apk
-
Size
4.2MB
-
MD5
81e176d7c1c6c0a0006d8e48e049b513
-
SHA1
51a1c95841caa9151c3a83d9b0a48085213e8044
-
SHA256
5a35d1750b0aea8bb5e3d15a060b59d6917f62278c21fb4a2df1b7854b1caa71
-
SHA512
300290cc8fcad8d499657d7f04830eea47b18238335702b844e3f72cdbb622f8c4171ba982f587c0236bae05dcd0ee651348a23d12b0e58535f42c46f15bd5c7
-
SSDEEP
98304:edthOuc+XEwAiYYuLLkAhdxyGv37Bdyk3U0At8RPB7Ct:ejY+XEwATsAgm3AcdCt
Malware Config
Extracted
hydra
http://aksd24j3232d32kd2j.xyz
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_hydra2 behavioral1/memory/4310-1.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex 4310 com.ipssqzaje.swwyjedec /data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex 4336 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex 4310 com.ipssqzaje.swwyjedec -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ipssqzaje.swwyjedec Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ipssqzaje.swwyjedec -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.ipssqzaje.swwyjedec -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.ipssqzaje.swwyjedec -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ipssqzaje.swwyjedec -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ipssqzaje.swwyjedec -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ipssqzaje.swwyjedec -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ipssqzaje.swwyjedec
Processes
-
com.ipssqzaje.swwyjedec1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4310 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ipssqzaje.swwyjedec/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4336
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD587c1b42e3dae5687135a459667d76661
SHA1a6df56f070c6fe69e8fedd227f9c3cb47eb0bccc
SHA25610bcdd0529a5723c1e616c499d3bb6d8749772107c6ee595b564ec0ce717b941
SHA512f1ee7ef61da813662f1adf96ad184f5c47fc96dae2b3c833af64c97d746ad8f3e969aedbcb3cb78cd6898b0eb40290150007264b7d230923ed2d0eb51ba069fa
-
Filesize
1.3MB
MD5a3152cf7b43dd245a8a70238c6d737f6
SHA1b20317b978a177c7be22d04809acd11958932331
SHA256598d4a459124682eb40cbfdbfc6c4a5003208ac5e0d772cbd114c25ca3e2c573
SHA512765a72ec266d1e90214095dbdcb2480aaeb288ba9294da1ba0672846c77ac0909fd2656759ea60446e59f9209a51ac459e692ef6229a7c16677a5f84211d013d
-
Filesize
1.3MB
MD56892e3128dc58016555e325eca1361e4
SHA13ee07286d7720fd94023a1185ad008d035e36b36
SHA2561126d5d5637a9cdc01197605acfcbd25eea179662f08df78bc0142bd24b93b87
SHA5126195e980d7d5df6bb0c26880e386680bbde0e6e5c0227fcc0b23cc73f45fcbd76bd27fd72073d311f5ee55758be7aa643f46195039c44f21fdc608b992c69a3d
-
Filesize
2.7MB
MD59b3f974e90751ed97fa08fb987a5e83e
SHA15018ee59d81ab965097196efb1606641acc69b38
SHA2562d682a35a7452f00abb33e46384d5bf32ab0a90ff9fd14d654d8573e398a3f97
SHA51266ef8e8462aa5f6bde55a17f8f5bcd3566599945b3861e4e2019c3deaae89825cfeed6ac6cb2533ec524e837ef876e1ff809816b40544c7ec14a1c3cae6620f0