Resubmissions

04-11-2024 12:53

241104-p4vweazdma 10

04-11-2024 12:20

241104-ph937szfjr 10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    04-11-2024 12:53

General

  • Target

    com_xhwoylhty_xwqllcong.apk

  • Size

    4.4MB

  • MD5

    c9b50e181e4119ba28fe02d2a1660175

  • SHA1

    522f2f3cc5ecc29f6c66ac7d8b41a3d944742254

  • SHA256

    d2fd5348e03bbc69b9de411da7551c3bc0cc0de5f75725452d66a4cd2654137e

  • SHA512

    56ee0acb58f6efef95a60bc59936982e9b41ff760b2c889de8e66a69d1de582386e7ea77e38a4e1967329ae76ca7bb681fe756c3a92980e0a9499c7db6e0809f

  • SSDEEP

    98304:v1PMtzqdDby6Jn2oOSHSI2Rd0IudwbcJgH7TWqNyyB13R3xGisVgYroy:NUhoJH5OCIuObcC/3yI3xRsVgwoy

Malware Config

Extracted

Family

hydra

C2

http://gaynolizpahpamedsos.xyz

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.xhwoylhty.xwqllcong
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4621

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.169.14
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.180.8
  • flag-us
    DNS
    gaynolizpahpamedsos.xyz
    Remote address:
    1.1.1.1:53
    Request
    gaynolizpahpamedsos.xyz
    IN A
    Response
    gaynolizpahpamedsos.xyz
    IN A
    80.66.64.77
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 5148051e00412048
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 04 Nov 2024 12:54:10 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 58
    X-Rl: 42
  • 142.250.187.206:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.187.206:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 172.217.169.14:443
    android.apis.google.com
    tls
    5.6kB
    8.5kB
    23
    23
  • 142.250.180.8:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    8
    9
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
    638 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 142.250.179.228:443
    tls, https
    846 B
    40 B
    2
    1
  • 142.250.179.228:443
    www.google.com
    tls
    10.9kB
    11.5kB
    27
    34
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
    40 B
    1
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.169.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.180.8

  • 1.1.1.1:53
    gaynolizpahpamedsos.xyz
    dns
    69 B
    85 B
    1
    1

    DNS Request

    gaynolizpahpamedsos.xyz

    DNS Response

    80.66.64.77

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.xhwoylhty.xwqllcong/app_app_dex/xrygjjn.mrv

    Filesize

    2.7MB

    MD5

    c513938f94e3e3ca21efad530fad3da3

    SHA1

    3202a822a71856e74c4113db247debfc7b890e5e

    SHA256

    8a5f8a0568ac39200325733fcc4b620bd48554ebb28c3522bdc7d0b738fabd98

    SHA512

    a1420d551c66087ab52ae5fbe9740e4bf38462c1ef736561005d4a5c5eee805ff87f8ce761ca36c2d14222f2baafa864f2578db139c05436091b026eff5d1aa8

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.