Overview

overview

10

Static

static

6

105affcbfc...b2.apk

android-9-x86

10

105affcbfc...b2.apk

android-10-x64

10

105affcbfc...b2.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    21-10-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk

  • Size

    2.2MB

  • MD5

    df6546b86b318a2850fa850ec71a7fcb

  • SHA1

    8a215df9bd136ed0d8449fc3f11177b1c07cde6d

  • SHA256

    105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2

  • SHA512

    da4f6158b2fb0f1cfefd22578cbe6143fd7b884d1468433dbb20d4214bd2ea2f94aa7850d8f396d7fabfea534ff336d12972b4db18a9d8cf20471077e3c7c2e4

  • SSDEEP

    49152:llE9y+wqENZFO78w1O6st+8X4/blqeZeVbiOvTKSaHbZ3+Ejt:llEkqENZ4O6sthX4U/VGgraHtuEjt

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://silversilvershine.com

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.flash.lock
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5056

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.flash.lock/app_DynamicOptDex/Nt.json
    Filesize

    971KB

    MD5

    48d2befbf9cf5708b4b6cf66e8481c80

    SHA1

    65221587e42b93fc3409e3d48d684a87abee2233

    SHA256

    6be0bc9a2f8b1a935cae35b64bbadc77b8fec15a195c16f6f14e9efe1de5a3c4

    SHA512

    1c165da40a3cda33f7ca4decef23baa884ee3f4d1950f58b87cb55cf25f28f731ef75b23daf3aa715a2e786a8d87b1f6e09ec7ec3e86d07fbf5bb7bbe65127bc

    Download Submit

  • /data/data/com.flash.lock/app_DynamicOptDex/Nt.json
    Filesize

    971KB

    MD5

    8ce7be38a3bd511a33e54d054d4b59d8

    SHA1

    bc5b2ef175ca03a64ecf4b049d975b939bb52c50

    SHA256

    6fde44a3d37acfa8ac2d1689a393cc62610489f2545457a3c51d6573cb083496

    SHA512

    bdd9af7c77f26a005b7b35f7ed7a897b3e4251b26183a7855a3055bf81de0ea53def85f9758295cdc15a043b362aca7e43797a6cb977af923b3b23a7833ecbea

    Download Submit

  • /data/data/com.flash.lock/app_DynamicOptDex/oat/Nt.json.cur.prof
    Filesize

    1KB

    MD5

    7a26d392550129a4b08270af60924045

    SHA1

    a6fcb94f58cc9b812d81fa879c90e3eaddfefa1d

    SHA256

    ea5361565b09a88adca03d997c117c314c3e7d47d6951e7baceed572c041dca2

    SHA512

    bce707f76af4906a6edca981fab7a1ed1a95697859562bec7296ab10a91eb8d1a66f588bac798bb4f93bbbc934b242612ea3ea996dd6081cda6d81e3453bbf98

    Download Submit

  • /data/user/0/com.flash.lock/app_DynamicOptDex/Nt.json
    Filesize

    2.2MB

    MD5

    6c74bcbd5f41e08ad8124ccdf49864b1

    SHA1

    6c4316980bb36586c7461a2fb87f268582c06d92

    SHA256

    befab038b0bd97005ddcec954106440262d0ead2ef7f40dd021319c8725b61d0

    SHA512

    527113f4eaeef19e6351f956da5736755f291582813634c677923dde23520ec66098f667c1f1b8772dd72f25fff986f1ad04d449692280a5f23c3c0e6e78c9f8

    Download Submit