Overview

overview

10

Static

static

6

006b9c2bf6...ea.apk

android-9-x86

10

006b9c2bf6...ea.apk

android-10-x64

10

006b9c2bf6...ea.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    117s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-10-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    006b9c2bf6cc9d179b493be1385a5dc459ae8a7a4359faf0ecdab944c87081ea.apk

  • Size

    4.9MB

  • MD5

    5c1061f97f9314a1cc90a0a1c05f9b7f

  • SHA1

    6587bb49678097bafbadd391ad437627c36b209a

  • SHA256

    006b9c2bf6cc9d179b493be1385a5dc459ae8a7a4359faf0ecdab944c87081ea

  • SHA512

    0e74e126efa8321cab855e3e4e0410d8b3990930277e774cb5372d56597f8ef9c58c64463c5ceb2ad69827e60d68ec183414b04a580698d3425c97ceeb235268

  • SSDEEP

    98304:RXDObW1Tnc7hgPhL2QZaCdHV7Xp+cAC9RGVNbbytz4jvRJVxWzbXdHaui:dybWhqQ0gHV7Xp+cTRaNTvR/AIui

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://darisamu.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.wgtyctcrz.jmnormrsi
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4266
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wgtyctcrz.jmnormrsi/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wgtyctcrz.jmnormrsi/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4293

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wgtyctcrz.jmnormrsi/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    2c787965bd0bb3b11eeca88534edb067

    SHA1

    eb7abc73e32d16b7ac90ff49ee41bfd393d20343

    SHA256

    5555e50681fa470bd24d5967a38c57fdd5bf8a30c166158099aaf507f2381076

    SHA512

    5262aba324cdc1f63f9fe844f4b543905ac1b32328f4a9a2600ba05838ed70c03fade5a39f70c1e4cffed7cd825ed87702aef6f3ff6111cfbd8ce9eb50a9cb45

    Download Submit

  • /data/data/com.wgtyctcrz.jmnormrsi/cache/classes.dex
    Filesize

    1.3MB

    MD5

    a795a5b296d76c86b9eecb893ea1cd02

    SHA1

    aab575bf888cb626ecec8ad2edddb39a552507b3

    SHA256

    afd997571ef21a5783cc3666b79b850051b0bc8519d219d97ef0601b40a9f1ea

    SHA512

    c92252a1fc53b4e18d4e294fc17898ad3eb58d8646d7ab844f9f1492e197e257db509fe48a4dd8e2f975404e29eb043b3b6c311f55a24f628c51ec78f0e26565

    Download Submit

  • /data/data/com.wgtyctcrz.jmnormrsi/cache/classes.zip
    Filesize

    1.3MB

    MD5

    22729086b6dba708a7cef178ece2f2b7

    SHA1

    8aacfb5fcb9b5ab118c1f5142e9e8ae4e57d89d9

    SHA256

    638c3b2e9b423debf6b654223f335ecbf1d0eff2e41673d32391267a40eef0bd

    SHA512

    df9422375eae334d55ade562f919e291e420def9aef5e981a16b908a7d8c5ee8b65a15dd2e963f3a9dde8005b42a0541b909661a918862f5a8e5559f800a5a16

    Download Submit

  • /data/user/0/com.wgtyctcrz.jmnormrsi/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    0956c84b73d911910419493a777c47ae

    SHA1

    7d92d6bd0d1a97ea4774d2be6501273ba23f2f2a

    SHA256

    4d9601605fedb268ccc931e2467ef1b7eadef637570d9a727096c089b333456a

    SHA512

    a19d8d7f6831c7ffc8adbe810bee7ed667f79e875a5a872e7e889c6c39c1177685a00304e0e28fdb581c53be26ec7cd6f7c868caff95488ee42a943c541fc75d

    Download Submit