Overview

overview

10

Static

static

6

ccfc01451f...9d.apk

android-9-x86

10

ccfc01451f...9d.apk

android-10-x64

10

ccfc01451f...9d.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-10-2024 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccfc01451f59118de06d8c111414bd33ce999a4598b7b79e312eb3aed149be9d.apk

  • Size

    4.2MB

  • MD5

    0f09c871dfa2d2bcde1a1954d2e4fa97

  • SHA1

    a514df1d400a0671f2d389809f77f7f0339b4090

  • SHA256

    ccfc01451f59118de06d8c111414bd33ce999a4598b7b79e312eb3aed149be9d

  • SHA512

    30912f44a4654174ed3a9601ed81c10976e27a59239290bfc02f0689eb741a4900302879bd6f395bbde815f5d65b048bf88774ae5ccda952bba2e14948bcb863

  • SSDEEP

    98304:TZnOfqyBXjGz/7Wkp3JMOte4wM0LhIIYaca2GZIwTIENX4G:1nOBq/7fJzBwhYdaaxG

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://aksd24j3232d32kd2j.xyz

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.bqislxvil.slppgtptw
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bqislxvil.slppgtptw/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bqislxvil.slppgtptw/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4238

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bqislxvil.slppgtptw/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    2f6d36f7ccbb63469e8d126c2678bd41

    SHA1

    989bbebb8c4e9769273baa177bbb5f068306a64b

    SHA256

    36cd76deba022823a44014498b49692dfdf600ed18a5111b31a896e3a73996fa

    SHA512

    e63fd8f51f6747f1949b0d2ea06f2f06a7f4659df9fb28ef4883e12bc230e03237ba25a961471b187d155ad3d55aa4fef01bc6859704db4f01efb4aa2a9a147b

    Download Submit

  • /data/data/com.bqislxvil.slppgtptw/cache/classes.dex
    Filesize

    1.3MB

    MD5

    c7826592e1689493e0feff6b82b08968

    SHA1

    7fe535389082b6134facd5602b0e74108d5497cd

    SHA256

    db44bae201f201ffe1b86dc137e8102e79c9da5597b6ca9f32274e003e72e061

    SHA512

    c20c5094db734ee6818a07c7853f081137196dbbcf3697288dfea6555a1309c8b6e14a29d8e68f1e997d17c1aea0436c7855b4f36ebce39e34b61455b4933723

    Download Submit

  • /data/data/com.bqislxvil.slppgtptw/cache/classes.zip
    Filesize

    1.3MB

    MD5

    c040f97290d45f124647a83245bc93a3

    SHA1

    c2d958944522a7fc96260a6ca9eac03f3957d204

    SHA256

    ea48f15ba96d1dfc70f4736b3de7d02d9cc580822d0941a65cf45e0d2a3955e0

    SHA512

    ccc5f4e01c4794af5ebd97eda6ce4e8bdf4df24f8acea1e03499a910c17a457f8b13157a79ddc4a951187337d4aa6aedc4d6698c933b7e6b324bbe01b7a247b8

    Download Submit

  • /data/user/0/com.bqislxvil.slppgtptw/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    b1ef1f2a756dd926874331b034354a40

    SHA1

    3ee7b023e79fb63e58437b9e305d796364b76d43

    SHA256

    e750388d09147e531c2eb90f335952b47220b160aa7c0975ef12ce8c2ac7ec27

    SHA512

    9deb65469138b047851e39fdc18b56447da447ef4aa5977e425d2a276d217d3f34650b5acbcd058dbfb5c8b1a4accbfd43df92146396005050ffcfb0fdbf7f23

    Download Submit