Overview

overview

10

Static

static

6

3e30799822...b0.apk

android-9-x86

10

3e30799822...b0.apk

android-10-x64

10

3e30799822...b0.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-10-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e3079982215bc7c5a1f6aefdeec17d3c8828a42f3d002905395f1652c05e0b0.apk

  • Size

    4.9MB

  • MD5

    7a623017a2fb223f66adde57da6ea03f

  • SHA1

    6e59e5c33ff3a46d0cf637e062ed056ecdef4d8f

  • SHA256

    3e3079982215bc7c5a1f6aefdeec17d3c8828a42f3d002905395f1652c05e0b0

  • SHA512

    3604392c4cecd3d162e412c976463bbd5ca83e7c7f9d67602a5f1d355c152f4757f091f435dfaac4f22ad0c100c416e37ed62c87dc7e6ae8a12b384a0ec94b5b

  • SSDEEP

    98304:s2NWlLQ2RxYqRLEYMyCltg1FvNG97NWMJbM8TBWGQhWUnGxUYlTZX:s2gRQEx5TkSk9hWMJbM8o3hWVxUaR

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://tahradtoynetcomez.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.dydzangag.mrcfuampj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4320
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dydzangag.mrcfuampj/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dydzangag.mrcfuampj/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4344

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dydzangag.mrcfuampj/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    991dd58da6badc83315cd3d44e461ed5

    SHA1

    6ec1a0e97b011684defa01edd6a4c24854551236

    SHA256

    324bd13e498505c93cd42fe2337edab719545d3b5af23dcb95da3551bca53a20

    SHA512

    5378093f2a8cb9e3a7c604cd9af99057ac0ebe0d5af395a7ff0dfead37724d9cddecf43fab80838648c05081951a811254cd40a356f80bd34747d313e66cd5d2

    Download Submit

  • /data/data/com.dydzangag.mrcfuampj/cache/classes.dex
    Filesize

    1.3MB

    MD5

    abccc96f6a823fc5e81bff15fe6bf351

    SHA1

    41fa6aeef1d2bab95a46346222698456798a29cb

    SHA256

    f8b14eee370ee2b80fc6bc3b594e2d073e8b327f1f38b129b2e70350bad41133

    SHA512

    86b5591e533a241a21a1768aa36d83d8502445fb608a41f8ee6c81b7a1d9eed66080014e14aa49c9e2ddec85b4464b40772fa966f462762ef6b3037f8d8b4101

    Download Submit

  • /data/data/com.dydzangag.mrcfuampj/cache/classes.zip
    Filesize

    1.3MB

    MD5

    db9d62a19eee91a1f44a74e342571267

    SHA1

    2fa0636a12c56d665b2c84a248474281074177ad

    SHA256

    05afbdf7f33eeadc646e75a0cc220d64e7af9d82e46de24ecfc6d88862b90d19

    SHA512

    6ef41219fd3dbfcadbbe3eb725272b2017e32bd4737572d77fcab1765f972e4589fd3abec329638938fa5279601570d0d5f53bfe875f688c4cafd9e447d5c0b6

    Download Submit

  • /data/user/0/com.dydzangag.mrcfuampj/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    8751471a9cfc3e6126d74cae1f354321

    SHA1

    edf6a09485ff7410a6dc078de2b8ef0e3acb0847

    SHA256

    19b17c4972e77fd43924c9c0f6abcb352da7612291b986062b9a1efe3201a26d

    SHA512

    f8da9dcea2726d6946bdac551dd92e545aee0381efdfa5e8ac4c20d608dc2aec805f1d25aa06658c4426c25bf574bc5822c57d036f188fc31b582a7e71dee9f9

    Download Submit