Analysis
-
max time kernel
123s -
max time network
142s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
17-10-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
f3b7cf3020d38061495cabfc7bf42329b580b99100dc50f6b2304ed3142321ca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f3b7cf3020d38061495cabfc7bf42329b580b99100dc50f6b2304ed3142321ca.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f3b7cf3020d38061495cabfc7bf42329b580b99100dc50f6b2304ed3142321ca.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
f3b7cf3020d38061495cabfc7bf42329b580b99100dc50f6b2304ed3142321ca.apk
-
Size
4.2MB
-
MD5
4e12d5edcaef2c9f3da5e9cce93337bb
-
SHA1
c726d5dce4822b05bb119f8f8f2458973c44855d
-
SHA256
f3b7cf3020d38061495cabfc7bf42329b580b99100dc50f6b2304ed3142321ca
-
SHA512
c49a5ff6b6374aaca0afc69ad08f1f9f7cb9e07e173f37707808503bcc1a7442e32d28ade2519e1a6a61236310193ba95fb9cb786f0239c547a1ef7509aa4471
-
SSDEEP
98304:vZ/JjB3tKvMOarRcVzA5rdCIUbhViqUqZu9dP+Ljf:h/Jl38faeyAI0FZM+/
Malware Config
Extracted
hydra
http://birshopsitesi.com.tr
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.vhuevqwsw.mtatzoqsb/app_dex/classes.dex 4999 com.vhuevqwsw.mtatzoqsb /data/user/0/com.vhuevqwsw.mtatzoqsb/app_dex/classes.dex 4999 com.vhuevqwsw.mtatzoqsb -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.vhuevqwsw.mtatzoqsb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.vhuevqwsw.mtatzoqsb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.vhuevqwsw.mtatzoqsb -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.vhuevqwsw.mtatzoqsb -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.vhuevqwsw.mtatzoqsb -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.vhuevqwsw.mtatzoqsb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.vhuevqwsw.mtatzoqsb -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.vhuevqwsw.mtatzoqsb
Processes
-
com.vhuevqwsw.mtatzoqsb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4999
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
2.7MB
MD5dad4ea8b0bdc10a99eb03222e85658bc
SHA1da6a1c80c57563d7b326f89ed07e75468c3603ef
SHA2566b74809a116c108685d931bb8a9a3f1dd1a464d54907f998d9252701a1977f30
SHA5126a8d833310c5e7a8e7d684e70855e19730961da3b6a076b4b7c2b6caf442428863c70e7052c7d669b9be4e91a5287ef41c3939e5a1e25d737aa10b890735abf3
-
Filesize
78.7MB
MD5c04bddd96317900be04ae42b0c17a507
SHA160c3105c5c3c424f6505ce231779f407190bf056
SHA2560e40a235d8ace69ee0ef0c64b1052868cd82e513422e49b2ac6108387aac0bcd
SHA51227a7f4f9e50b2d47239473f3d2d3102f73eb582d00094934a5e0ec4e2ff6d8e92fc1a3500e940e0aacecbbdb0c212b0fb485413d22e359666f1e9b5538727d2d
-
Filesize
1.3MB
MD5894dbdb63cf8227e255a6bd72dd267ee
SHA163ad2312d395a91463a9193a5dce8eb110407ad9
SHA25634c68f3d86398b02b3cef4357b8c32e9e85e50a60bf0e163531e8dcb3219a7db
SHA512726baf8902afacfc6b0bad77572fb48d2c3a999f57ef0d131aa3892e19d5cf9049c020701499789239b4315c0d96645469e4791a64678a39cad509beb82db8dd
-
Filesize
1.3MB
MD5ad36020c4b5fc1038183f8e009aacb5d
SHA11962c1941dcdfeaa3e8fd74b027031608e3a9c5b
SHA256059d3688cb3139b8c57d4635763c949533c6ed6f88c8447fc4112933f67c2098
SHA5121a696785cd7cccd0da9a9213a454575f16b04edc1235962ec2c9b2e52523251f73f3e5b779556c245579bd3e56b1210d6411edd025dc556a7dcea2691e31f9d4