Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

1703cead32...bd.apk

android-9-x86

10

1703cead32...bd.apk

android-10-x64

10

1703cead32...bd.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    15/10/2024, 22:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd.apk

  • Size

    4.2MB

  • MD5

    946cca782366bd08ac773dddd09f46c8

  • SHA1

    c4444446759a7690bd27c5965e9b138bcbd722a3

  • SHA256

    1703cead32c403f68cd1d581191ae37dc641c185ee5b9eaf43575a79dc78f6bd

  • SHA512

    5a4ff26eb60a8aa5af18335c2cd6b2236a8b5bedf60e830be4caddff6ab9a7b86b8b4a25f7e1fc071c0f33bd7cca728c2d708aa41f0b812fb9becf0abd0cf240

  • SSDEEP

    98304:KjPPICrol7hXOPlmxn6aCCqlhS1rENeI1ue0N9d:mPw1l7h+PlDaCCqlhS1rEMz/d

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://hg24g23jh4g2j3h4g5jh235vb3.xyz

DES_key
1
796e717965696e6d

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.qfcfatuts.hhdfeeeiu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5154

Network

  • flag-us
    DNS
    hg24g23jh4g2j3h4g5jh235vb3.xyz
    Remote address:
    1.1.1.1:53
    Request
    hg24g23jh4g2j3h4g5jh235vb3.xyz
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 5308642ae78425df
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 15 Oct 2024 22:05:54 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 45
    X-Rl: 43
  • 142.250.187.206:443
    tls, https
    689 B
     40 B
     1
    1
  • 142.250.187.206:443
    tls, https
    689 B
     40 B
     1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.3kB
     8.5kB
     14
    22
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
     598 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    hg24g23jh4g2j3h4g5jh235vb3.xyz
    dns
    76 B
     141 B
     1
    1

    DNS Request

    hg24g23jh4g2j3h4g5jh235vb3.xyz

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qfcfatuts.hhdfeeeiu/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    cab411a4dee29e2db0def7392fe905e9

    SHA1

    be741af5d039493110506dcc18c024210fd7c45d

    SHA256

    45ea7ccb9aaa23835b3dafedf1d143d60a8611a590fe65fc179eccc6f23c0ca0

    SHA512

    1910feaa7da0c7a4fba9049d34617208c0d7dbd3b5057098d5042e84089148148a1d82fc2ac228ab778a58d63ca8cce5d51c69248f6dc39f0dbee209f50787b1

    Download Submit

  • /data/data/com.qfcfatuts.hhdfeeeiu/cache/classes.dex
    Filesize

    1.3MB

    MD5

    08bd4185a05ffb9353230184937ec221

    SHA1

    818b5a58c5200c786d315fd63d5708623f294522

    SHA256

    0857495fba58cbcbde30eca3c18b24c1169b5f2a48fe1ac2d00bb22084302555

    SHA512

    ab4e4f33a1d024519096b084da8f14fc64cdbec06be232168c4d6b3464fdd4b76ad72b03a6dfa3799fe6b3b94d29e272c1cc465e810649a6b3f0780d20c6f883

    Download Submit

  • /data/data/com.qfcfatuts.hhdfeeeiu/cache/classes.zip
    Filesize

    1.3MB

    MD5

    eabab336030de7b8e33084edd95a6567

    SHA1

    49373bdc5986c67b4d9bbebc53c1e473177de75d

    SHA256

    2a9bf7136f4a3d130be8ba2071ccd84d5de5b0fb54a0839bb4a3477e202e15bb

    SHA512

    9963e0e082f1bf7e18e347fa810f4713c57581298de1cc9225cc234198f05533c6437856e2d01e331fb7c3a47fcc2e114e888237bb63c27362d4df728d934282

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.