Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
15-10-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd.apk
-
Size
4.2MB
-
MD5
946cca782366bd08ac773dddd09f46c8
-
SHA1
c4444446759a7690bd27c5965e9b138bcbd722a3
-
SHA256
1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd
-
SHA512
5a4ff26eb60a8aa5af18335c2cd6b2236a8b5bedf60e830be4caddff6ab9a7b86b8b4a25f7e1fc071c0f33bd7cca728c2d708aa41f0b812fb9becf0abd0cf240
-
SSDEEP
98304:KjPPICrol7hXOPlmxn6aCCqlhS1rENeI1ue0N9d:mPw1l7h+PlDaCCqlhS1rEMz/d
Malware Config
Extracted
hydra
http://hg24g23jh4g2j3h4g5jh235vb3.xyz
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_hydra2 behavioral1/memory/4219-1.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex 4219 com.qfcfatuts.hhdfeeeiu /data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex 4245 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex 4219 com.qfcfatuts.hhdfeeeiu -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qfcfatuts.hhdfeeeiu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.qfcfatuts.hhdfeeeiu -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.qfcfatuts.hhdfeeeiu -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qfcfatuts.hhdfeeeiu -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.qfcfatuts.hhdfeeeiu -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qfcfatuts.hhdfeeeiu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.qfcfatuts.hhdfeeeiu -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qfcfatuts.hhdfeeeiu
Processes
-
com.qfcfatuts.hhdfeeeiu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4219 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qfcfatuts.hhdfeeeiu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4245
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5cab411a4dee29e2db0def7392fe905e9
SHA1be741af5d039493110506dcc18c024210fd7c45d
SHA25645ea7ccb9aaa23835b3dafedf1d143d60a8611a590fe65fc179eccc6f23c0ca0
SHA5121910feaa7da0c7a4fba9049d34617208c0d7dbd3b5057098d5042e84089148148a1d82fc2ac228ab778a58d63ca8cce5d51c69248f6dc39f0dbee209f50787b1
-
Filesize
1.3MB
MD508bd4185a05ffb9353230184937ec221
SHA1818b5a58c5200c786d315fd63d5708623f294522
SHA2560857495fba58cbcbde30eca3c18b24c1169b5f2a48fe1ac2d00bb22084302555
SHA512ab4e4f33a1d024519096b084da8f14fc64cdbec06be232168c4d6b3464fdd4b76ad72b03a6dfa3799fe6b3b94d29e272c1cc465e810649a6b3f0780d20c6f883
-
Filesize
1.3MB
MD5eabab336030de7b8e33084edd95a6567
SHA149373bdc5986c67b4d9bbebc53c1e473177de75d
SHA2562a9bf7136f4a3d130be8ba2071ccd84d5de5b0fb54a0839bb4a3477e202e15bb
SHA5129963e0e082f1bf7e18e347fa810f4713c57581298de1cc9225cc234198f05533c6437856e2d01e331fb7c3a47fcc2e114e888237bb63c27362d4df728d934282
-
Filesize
2.7MB
MD52d911667cfa1a9eb054f5b1489b26462
SHA1bb00980cad0cbc26ef4a27a57b3968a04f9b0256
SHA2564309621fa315420bf95b9ef207b509f1e7aea41d32e68f38aa54a23944c52d71
SHA512184418ef8d0c7df1c1e201b413c02c8e6e4c8aeef278e4732e435b9b56e0be6bd74de52e8f3a5dfd9b3637435c65dd4caeb987a8a88eb822036fe22c265b493b