Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

c14851503b...u].apk

android-9-x86

10

c14851503b...u].apk

android-10-x64

10

c14851503b...u].apk

android-11-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    78s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06/11/2024, 13:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c.bin [MConverter.eu].apk

  • Size

    4.4MB

  • MD5

    dd25ccd0ab23e30d6c3a82f70a97d9b0

  • SHA1

    ab979bc5901afebdd316de576b0e2a3596e02331

  • SHA256

    c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c

  • SHA512

    64976749894d5751555ca5c1a655b11cb166faf6e23731f2d7ff388a30d90348cf47838488f87d840f43329c6c36e4467fdd2820207efa953bdc948cb46841e3

  • SSDEEP

    98304:jp1hKd5hXCpr3zMH9ZEC8mw3Kl2vhC6O7PElYuBVgVIa1:VM5hXCBwHrEC8mwDwPElKp

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

hydra

C2

http://gaynolizpahpamedsos.xyz

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.gnvjathsw.fwdtrwnug
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4267
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/oat/x86/ykrqpun.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4295

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.16.228
  • flag-us
    DNS
    gaynolizpahpamedsos.xyz
    Remote address:
    1.1.1.1:53
    Request
    gaynolizpahpamedsos.xyz
    IN A
    Response
    gaynolizpahpamedsos.xyz
    IN A
    80.66.64.77
  • flag-us
    DNS
    update.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    update.googleapis.com
    IN A
    Response
    update.googleapis.com
    IN A
    142.250.187.227
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.46
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: da0a3cc4555b7005
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Wed, 06 Nov 2024 13:48:29 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 59
    X-Rl: 43
  • 216.58.213.10:443
    tls, https
    202 B
     40 B
     1
    1
  • 172.217.16.228:443
    www.google.com
    tls
    2.2kB
     6.5kB
     20
    23
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 142.250.187.227:443
    update.googleapis.com
    tls
    1.7kB
     6.6kB
     9
    11
  • 142.250.187.234:443
    semanticlocation-pa.googleapis.com
    tls
    2.0kB
     6.2kB
     12
    14
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.200.46:443
    android.apis.google.com
    tls
    2.8kB
     7.0kB
     10
    15
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    411 B
     558 B
     4
    2

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 216.58.213.10:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 80.66.64.77:80
    gaynolizpahpamedsos.xyz
    60 B
     40 B
     1
    1
  • 224.0.0.251:5353
    3.3kB
     10
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     336 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.187.234
    172.217.169.42
    142.250.200.42
    216.58.201.106
    216.58.212.234
    142.250.180.10
    216.58.204.74
    172.217.169.74
    142.250.187.202
    172.217.16.234
    216.58.213.10
    142.250.178.10
    216.58.212.202
    142.250.179.234
    142.250.200.10
    172.217.169.10

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.16.228

  • 1.1.1.1:53
    gaynolizpahpamedsos.xyz
    dns
    69 B
     85 B
     1
    1

    DNS Request

    gaynolizpahpamedsos.xyz

    DNS Response

    80.66.64.77

  • 1.1.1.1:53
    update.googleapis.com
    dns
    67 B
     83 B
     1
    1

    DNS Request

    update.googleapis.com

    DNS Response

    142.250.187.227

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.46

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk
    Filesize

    2.7MB

    MD5

    a1af78d7328e74aaeb30d4199bcd0015

    SHA1

    1101064efa1f7eecf54fd505a12d3a45949f3e27

    SHA256

    f09dff3018fa6d5b91794ddf50bd8192f544224bac670f46a957422c8d7b9e0e

    SHA512

    971a30efb8e33e9945bd80f036201be1569ff7ff1677e888eff9e527fae15cc8f7284a8679ee5a30fb019af85632a391184e9543a02671826f69e2b2c2e8a433

    Download Submit

  • /data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk
    Filesize

    2.7MB

    MD5

    0ac0685c2b3cb3b3b91cd17604b66130

    SHA1

    d1575d46892e6edb708ca17a192ec178e48a77ae

    SHA256

    6cb296f793369e614d76b8cd97b8e24565850aec04c9942d39807da36f7b8288

    SHA512

    5cc715b36179236dfad346dcacf39d3812da2b2862c1a1eb7aa604dc99b497ad17beded597cbfdaaafc3d6380b476ec0f570d4b955c0fa4185556f5a9765fe7e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.