Analysis
-
max time kernel
72s -
max time network
78s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
06-11-2024 13:47
Static task
static1
Behavioral task
behavioral1
Sample
c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c.bin [MConverter.eu].apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c.bin [MConverter.eu].apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c.bin [MConverter.eu].apk
Resource
android-x64-arm64-20240624-en
General
-
Target
c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c.bin [MConverter.eu].apk
-
Size
4.4MB
-
MD5
dd25ccd0ab23e30d6c3a82f70a97d9b0
-
SHA1
ab979bc5901afebdd316de576b0e2a3596e02331
-
SHA256
c14851503ba5221855133afe47a79c42507ee8803fb777095b8e1d7a346fc34c
-
SHA512
64976749894d5751555ca5c1a655b11cb166faf6e23731f2d7ff388a30d90348cf47838488f87d840f43329c6c36e4467fdd2820207efa953bdc948cb46841e3
-
SSDEEP
98304:jp1hKd5hXCpr3zMH9ZEC8mw3Kl2vhC6O7PElYuBVgVIa1:VM5hXCBwHrEC8mwDwPElKp
Malware Config
Extracted
hydra
http://gaynolizpahpamedsos.xyz
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 2 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_hydra2 behavioral1/memory/4267-1.dex family_hydra2 -
pid Process 4267 com.gnvjathsw.fwdtrwnug -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk 4267 com.gnvjathsw.fwdtrwnug /data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk 4295 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/oat/x86/ykrqpun.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk 4267 com.gnvjathsw.fwdtrwnug -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gnvjathsw.fwdtrwnug Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gnvjathsw.fwdtrwnug Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gnvjathsw.fwdtrwnug -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.gnvjathsw.fwdtrwnug -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.gnvjathsw.fwdtrwnug -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gnvjathsw.fwdtrwnug android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gnvjathsw.fwdtrwnug android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gnvjathsw.fwdtrwnug android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gnvjathsw.fwdtrwnug android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gnvjathsw.fwdtrwnug -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.gnvjathsw.fwdtrwnug -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.gnvjathsw.fwdtrwnug -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.gnvjathsw.fwdtrwnug -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.gnvjathsw.fwdtrwnug -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.gnvjathsw.fwdtrwnug -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.gnvjathsw.fwdtrwnug -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.gnvjathsw.fwdtrwnug
Processes
-
com.gnvjathsw.fwdtrwnug1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4267 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/ykrqpun.jmk --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gnvjathsw.fwdtrwnug/app_app_dex/oat/x86/ykrqpun.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4295
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a1af78d7328e74aaeb30d4199bcd0015
SHA11101064efa1f7eecf54fd505a12d3a45949f3e27
SHA256f09dff3018fa6d5b91794ddf50bd8192f544224bac670f46a957422c8d7b9e0e
SHA512971a30efb8e33e9945bd80f036201be1569ff7ff1677e888eff9e527fae15cc8f7284a8679ee5a30fb019af85632a391184e9543a02671826f69e2b2c2e8a433
-
Filesize
2.7MB
MD50ac0685c2b3cb3b3b91cd17604b66130
SHA1d1575d46892e6edb708ca17a192ec178e48a77ae
SHA2566cb296f793369e614d76b8cd97b8e24565850aec04c9942d39807da36f7b8288
SHA5125cc715b36179236dfad346dcacf39d3812da2b2862c1a1eb7aa604dc99b497ad17beded597cbfdaaafc3d6380b476ec0f570d4b955c0fa4185556f5a9765fe7e