Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    21-10-2024 22:09

General

  • Target

    105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk

  • Size

    2.2MB

  • MD5

    df6546b86b318a2850fa850ec71a7fcb

  • SHA1

    8a215df9bd136ed0d8449fc3f11177b1c07cde6d

  • SHA256

    105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2

  • SHA512

    da4f6158b2fb0f1cfefd22578cbe6143fd7b884d1468433dbb20d4214bd2ea2f94aa7850d8f396d7fabfea534ff336d12972b4db18a9d8cf20471077e3c7c2e4

  • SSDEEP

    49152:llE9y+wqENZFO78w1O6st+8X4/blqeZeVbiOvTKSaHbZ3+Ejt:llEkqENZ4O6sthX4U/VGgraHtuEjt

Malware Config

Extracted

Family

hydra

C2

http://silversilvershine.com

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.flash.lock
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4483

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.212.206
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.180.8
  • flag-us
    DNS
    silversilvershine.com
    Remote address:
    1.1.1.1:53
    Request
    silversilvershine.com
    IN A
    Response
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 9e6be700f3721b32
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 21 Oct 2024 22:10:07 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 57
    X-Rl: 43
  • 142.250.180.14:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.180.14:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    1.1kB
    4.5kB
    9
    8
  • 216.58.212.206:443
    android.apis.google.com
    tls
    5.6kB
    8.8kB
    23
    23
  • 142.250.180.8:443
    ssl.google-analytics.com
    tls
    1.4kB
    6.2kB
    9
    8
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
    638 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.200.36:443
    tls, https
    850 B
    40 B
    2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    11.2kB
    14.8kB
    31
    38
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.212.206

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.180.8

  • 1.1.1.1:53
    silversilvershine.com
    dns
    67 B
    140 B
    1
    1

    DNS Request

    silversilvershine.com

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.flash.lock/app_DynamicOptDex/Nt.json

    Filesize

    971KB

    MD5

    48d2befbf9cf5708b4b6cf66e8481c80

    SHA1

    65221587e42b93fc3409e3d48d684a87abee2233

    SHA256

    6be0bc9a2f8b1a935cae35b64bbadc77b8fec15a195c16f6f14e9efe1de5a3c4

    SHA512

    1c165da40a3cda33f7ca4decef23baa884ee3f4d1950f58b87cb55cf25f28f731ef75b23daf3aa715a2e786a8d87b1f6e09ec7ec3e86d07fbf5bb7bbe65127bc

  • /data/user/0/com.flash.lock/app_DynamicOptDex/Nt.json

    Filesize

    971KB

    MD5

    8ce7be38a3bd511a33e54d054d4b59d8

    SHA1

    bc5b2ef175ca03a64ecf4b049d975b939bb52c50

    SHA256

    6fde44a3d37acfa8ac2d1689a393cc62610489f2545457a3c51d6573cb083496

    SHA512

    bdd9af7c77f26a005b7b35f7ed7a897b3e4251b26183a7855a3055bf81de0ea53def85f9758295cdc15a043b362aca7e43797a6cb977af923b3b23a7833ecbea

  • /data/user/0/com.flash.lock/app_DynamicOptDex/Nt.json

    Filesize

    2.2MB

    MD5

    6c74bcbd5f41e08ad8124ccdf49864b1

    SHA1

    6c4316980bb36586c7461a2fb87f268582c06d92

    SHA256

    befab038b0bd97005ddcec954106440262d0ead2ef7f40dd021319c8725b61d0

    SHA512

    527113f4eaeef19e6351f956da5736755f291582813634c677923dde23520ec66098f667c1f1b8772dd72f25fff986f1ad04d449692280a5f23c3c0e6e78c9f8

  • /data/user/0/com.flash.lock/app_DynamicOptDex/oat/Nt.json.cur.prof

    Filesize

    1KB

    MD5

    86534c8d3e68b1d89e96883da659b631

    SHA1

    ce840e7b4705fd7b291790cdfc2a5e76b203cf11

    SHA256

    817d551ba3ab5303c5a4c7587af6186eb38116d6bdfef9b5aed8bbd281bf7ad7

    SHA512

    c7f8aff822d00aa196afae1b8918467964086ee147e76e56ae8051244ed47a67bcdbf7e638b98fb225bfb4d8682ffa3a279bf8272a4ec318beeba6ff304dcd40

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.