Resubmissions
27-11-2024 14:27
241127-rshstaxkbv 1027-11-2024 14:25
241127-rrrz4atlbr 1027-11-2024 14:24
241127-rqptcaxjdt 1027-11-2024 14:07
241127-rfaaxasqgk 1031-12-2023 17:07
231231-vmy5dsbbar 1Analysis
-
max time kernel
79s -
max time network
88s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
27-11-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
Play_Store.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
Play_Store.apk
-
Size
4.2MB
-
MD5
6966dead3e5307bee1ba7a5ead34a63c
-
SHA1
49117815e82f8e8f5ee979e2db0924ebbb5699b8
-
SHA256
7e7ee5b11fe1ca56f0f8416638964bec68b9ef90b25426f06d1330222b1dcf3d
-
SHA512
693b02d938d2b5bdf7b6085ad87a5eaa3c2134528739a1aab127bc533f4bda3659ef56e7a5261d5d2517b8586ecb3f52668f56ce2d55e8b7d8fbd1ab5c0a8daa
-
SSDEEP
98304:E0VWaHzRXEjLWQo+KuHQPyYYGsMvCuSjgxekJbeBVv:E0VWkzRUfMJkYyYYN+CpKekwVv
Malware Config
Extracted
hydra
http://boynezborisalez.net
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 1 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bhizakhmr.ryectjpkr/app_app_dex/uhhdcjq.wgs 4313 com.bhizakhmr.ryectjpkr -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bhizakhmr.ryectjpkr Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bhizakhmr.ryectjpkr Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.bhizakhmr.ryectjpkr -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.bhizakhmr.ryectjpkr -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.bhizakhmr.ryectjpkr -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bhizakhmr.ryectjpkr -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.bhizakhmr.ryectjpkr -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bhizakhmr.ryectjpkr -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.bhizakhmr.ryectjpkr -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.bhizakhmr.ryectjpkr
Processes
-
com.bhizakhmr.ryectjpkr1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests enabling of the accessibility settings.
PID:4313
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59b3f4defbb592ded624d45a4d67fc9b6
SHA148ed59bd09f3ee857fd0acac8e34e491b655ce94
SHA256ce596473e7e4946863c571563eae0d2f0ca8339584d1d8b4b07c59c7fb4681cf
SHA5127cd3086606b595f58495b933351ae77f24aa8c32f1a29f11fa08a2d5b7e43ec3bf25a21b7c22f70e5e0ee3bcbd25eba93c40273186680e6bc8c8b59c17f73fdd
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f