Malware Analysis Report

2025-01-19 05:26

Sample ID 241127-rfaaxasqgk
Target Play_Store.apk
SHA256 7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d

Threat Level: Known bad

The file Play_Store.apk was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra family

Hydra payload

Hydra

Reads the contacts stored on the device.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about active data network

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 14:07

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 14:07

Reported

2024-11-27 14:22

Platform

android-33-x64-arm64-20240624-fr

Max time kernel

599s

Max time network

608s

Command Line

com.bhizakhmr.ryectjpkr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bhizakhmr.ryectjpkr/app_app_dex/uhhdcjq.wgs N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bhizakhmr.ryectjpkr

Network

Country Destination Domain Proto
GB 172.217.169.68:443 tcp
US 216.239.34.223:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.4:443 udp
GB 172.217.169.68:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 boynezborisalez.net udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.4:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.178.8:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.230:80 tcp
GB 142.250.187.230:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 newsstand.googleusercontent.com udp
GB 142.250.200.1:443 newsstand.googleusercontent.com tcp
GB 142.250.200.1:443 newsstand.googleusercontent.com tcp
GB 216.58.204.91:443 tcp
US 1.1.1.1:53 social-magazines-prod.storage.googleapis.com udp
GB 142.250.180.27:443 social-magazines-prod.storage.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 162.159.61.3:443 tcp
US 172.64.41.3:443 tcp

Files

/data/user/0/com.bhizakhmr.ryectjpkr/files/mgjtgw.feq

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

/data/user/0/com.bhizakhmr.ryectjpkr/app_app_dex/uhhdcjq.wgs

MD5 9b3f4defbb592ded624d45a4d67fc9b6
SHA1 48ed59bd09f3ee857fd0acac8e34e491b655ce94
SHA256 ce596473e7e4946863c571563eae0d2f0ca8339584d1d8b4b07c59c7fb4681cf
SHA512 7cd3086606b595f58495b933351ae77f24aa8c32f1a29f11fa08a2d5b7e43ec3bf25a21b7c22f70e5e0ee3bcbd25eba93c40273186680e6bc8c8b59c17f73fdd