Analysis
-
max time kernel
149s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
21-10-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2.apk
-
Size
2.2MB
-
MD5
df6546b86b318a2850fa850ec71a7fcb
-
SHA1
8a215df9bd136ed0d8449fc3f11177b1c07cde6d
-
SHA256
105affcbfc1afa6f804d47c5587becc0ca741b70fce448afa0dff3b86b9ab4b2
-
SHA512
da4f6158b2fb0f1cfefd22578cbe6143fd7b884d1468433dbb20d4214bd2ea2f94aa7850d8f396d7fabfea534ff336d12972b4db18a9d8cf20471077e3c7c2e4
-
SSDEEP
49152:llE9y+wqENZFO78w1O6st+8X4/blqeZeVbiOvTKSaHbZ3+Ejt:llEkqENZ4O6sthX4U/VGgraHtuEjt
Malware Config
Extracted
hydra
http://silversilvershine.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra payload 2 IoCs
resource yara_rule behavioral3/memory/4483-0.dex family_hydra1 behavioral3/memory/4483-0.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.flash.lock/app_DynamicOptDex/Nt.json 4483 com.flash.lock -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.flash.lock Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.flash.lock -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.flash.lock -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.flash.lock -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.flash.lock -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.flash.lock -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.flash.lock -
Reads information about phone network operator. 1 TTPs
Processes
-
com.flash.lock1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4483
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A216.58.212.206
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.180.8
-
Remote address:1.1.1.1:53Requestsilversilvershine.comIN AResponse
-
Remote address:1.1.1.1:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
Authorization: 9e6be700f3721b32
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: ip-api.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 289
Access-Control-Allow-Origin: *
X-Ttl: 57
X-Rl: 43
-
695 B 40 B 1 1
-
695 B 40 B 1 1
-
1.1kB 4.5kB 9 8
-
5.6kB 8.8kB 23 23
-
1.4kB 6.2kB 9 8
-
452 B 638 B 5 4
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
850 B 40 B 2 1
-
11.2kB 14.8kB 31 38
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
216.58.212.206
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.180.8
-
67 B 140 B 1 1
DNS Request
silversilvershine.com
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971KB
MD548d2befbf9cf5708b4b6cf66e8481c80
SHA165221587e42b93fc3409e3d48d684a87abee2233
SHA2566be0bc9a2f8b1a935cae35b64bbadc77b8fec15a195c16f6f14e9efe1de5a3c4
SHA5121c165da40a3cda33f7ca4decef23baa884ee3f4d1950f58b87cb55cf25f28f731ef75b23daf3aa715a2e786a8d87b1f6e09ec7ec3e86d07fbf5bb7bbe65127bc
-
Filesize
971KB
MD58ce7be38a3bd511a33e54d054d4b59d8
SHA1bc5b2ef175ca03a64ecf4b049d975b939bb52c50
SHA2566fde44a3d37acfa8ac2d1689a393cc62610489f2545457a3c51d6573cb083496
SHA512bdd9af7c77f26a005b7b35f7ed7a897b3e4251b26183a7855a3055bf81de0ea53def85f9758295cdc15a043b362aca7e43797a6cb977af923b3b23a7833ecbea
-
Filesize
2.2MB
MD56c74bcbd5f41e08ad8124ccdf49864b1
SHA16c4316980bb36586c7461a2fb87f268582c06d92
SHA256befab038b0bd97005ddcec954106440262d0ead2ef7f40dd021319c8725b61d0
SHA512527113f4eaeef19e6351f956da5736755f291582813634c677923dde23520ec66098f667c1f1b8772dd72f25fff986f1ad04d449692280a5f23c3c0e6e78c9f8
-
Filesize
1KB
MD586534c8d3e68b1d89e96883da659b631
SHA1ce840e7b4705fd7b291790cdfc2a5e76b203cf11
SHA256817d551ba3ab5303c5a4c7587af6186eb38116d6bdfef9b5aed8bbd281bf7ad7
SHA512c7f8aff822d00aa196afae1b8918467964086ee147e76e56ae8051244ed47a67bcdbf7e638b98fb225bfb4d8682ffa3a279bf8272a4ec318beeba6ff304dcd40