Overview

overview

10

Static

static

6

95e57782b2...2b.apk

android-9-x86

10

95e57782b2...2b.apk

android-10-x64

10

95e57782b2...2b.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03-12-2024 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b.apk

  • Size

    2.9MB

  • MD5

    cf57ddd38bea31fe445f0a8b907e202a

  • SHA1

    ce57c1d0c126868042b85ac6d4c5b8ae53d53aeb

  • SHA256

    95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b

  • SHA512

    242cc5529009b480796e91f1dbcbe337f771ae4a76bfad4fab95778b90ea58e092be4facf26db739f383f57cf1ae38cc6ce2c8d3f59c91862c8140697d8b0d13

  • SSDEEP

    49152:dg94mHNyFLEZl+QAj2tyloxKDXHi4stII/6btE05dyw8RwW59gjvuo8+XQ:EN5Zl+Q82tKoxKDNm6BRnyzRB9gTz8+A

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://samsamcevir.cfd

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.repeat.when
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4251
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.repeat.when/app_moral/RaWEqs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.repeat.when/app_moral/oat/x86/RaWEqs.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.repeat.when/app_moral/RaWEqs.json
    Filesize

    967KB

    MD5

    0a57f486a30a841588aac5c3305bbd42

    SHA1

    269f93c08de31cdd9016243835afa99154e44e81

    SHA256

    e6bba1a90dc4ddd6a62e4523a52dbbb3f30a2a41d13942f94e727ec07275c9ac

    SHA512

    46f30ce0b36cd633ad239b6a0a476b28ae868f6a4be2c945b2836203589ee56cf1b0ca67a9dfb783d73a6a655263357319d1f15bfb8669bc8f8e0c18079a590f

    Download Submit

  • /data/data/com.repeat.when/app_moral/RaWEqs.json
    Filesize

    967KB

    MD5

    32dfcd4b46363cf46fc3b1cd10b683cb

    SHA1

    ffbffaa228f9bc893dec9b824b3eec3d0ae95436

    SHA256

    ec3959e295cb5ce983794f5365972517b46600e7ebce5e2d6db0bbb3ce592802

    SHA512

    a40ca96434828481c2526111157b77c0a9cd531e1bfd39838b63c26eb669eb950878d6120f926e0bd56bdd869d456f6128bcbc03db67e9a9f2decedfb9721c42

    Download Submit

  • /data/data/com.repeat.when/app_moral/oat/RaWEqs.json.cur.prof
    Filesize

    1KB

    MD5

    5d6003791136a757c5f4aa90ef1412d1

    SHA1

    bbcfe8f441d4c1b3d87fbad041bbc444b6ce4852

    SHA256

    5ca571969af7955f12d135c087122b5b03b65fde062689065d5ec1f13756f62a

    SHA512

    f59469a40ffab09eb1b827ad6dddb0fd64b6e3c7f7d8ae731ad3352528cec566be0914452dcc126ed337d8aa10db6ba0d36c3efbbafe393a0976208e12f29ee4

    Download Submit

  • /data/user/0/com.repeat.when/app_moral/RaWEqs.json
    Filesize

    2.2MB

    MD5

    38b2d7697be2169c9bc8de9a31e31811

    SHA1

    7266af283a7f582370f4ad1131618ca0e45a0dbf

    SHA256

    4b91a9e2af8f8922409c2981eddc5b3f019aa7a200e7647641e7a1ec3fade136

    SHA512

    a3a97a529a605364d452a6abfd14d45c434694f853ca89bd2220a6584f9505736e70d1b4ac5a8c6744c2d4babd9567d91199dba0ed36fa345a01aad34483eeaf

    Download Submit

  • /data/user/0/com.repeat.when/app_moral/RaWEqs.json
    Filesize

    2.2MB

    MD5

    63acf41579b5f4aecf4edc869a4b285b

    SHA1

    607e30f38d069c5f07f30d37af38b252cc837225

    SHA256

    fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507

    SHA512

    26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d

    Download Submit