Malware Analysis Report

2025-01-19 05:26

Sample ID 241203-16xzbsxka1
Target 95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b.bin
SHA256 95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b

Threat Level: Known bad

The file 95e57782b2359c28ace997f6212d1a488c7d731607285fb58bf8650601d4ed2b.bin was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra payload

Hydra family

Hydra

Loads dropped Dex/Jar

Reads the contacts stored on the device.

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Reads information about phone network operator.

Looks up external IP address via web service

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 22:16

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

147s

Command Line

com.repeat.when

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.repeat.when/app_moral/RaWEqs.json N/A N/A
N/A /data/user/0/com.repeat.when/app_moral/RaWEqs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.repeat.when

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.repeat.when/app_moral/RaWEqs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.repeat.when/app_moral/oat/x86/RaWEqs.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 samsamcevir.cfd udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 0a57f486a30a841588aac5c3305bbd42
SHA1 269f93c08de31cdd9016243835afa99154e44e81
SHA256 e6bba1a90dc4ddd6a62e4523a52dbbb3f30a2a41d13942f94e727ec07275c9ac
SHA512 46f30ce0b36cd633ad239b6a0a476b28ae868f6a4be2c945b2836203589ee56cf1b0ca67a9dfb783d73a6a655263357319d1f15bfb8669bc8f8e0c18079a590f

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 32dfcd4b46363cf46fc3b1cd10b683cb
SHA1 ffbffaa228f9bc893dec9b824b3eec3d0ae95436
SHA256 ec3959e295cb5ce983794f5365972517b46600e7ebce5e2d6db0bbb3ce592802
SHA512 a40ca96434828481c2526111157b77c0a9cd531e1bfd39838b63c26eb669eb950878d6120f926e0bd56bdd869d456f6128bcbc03db67e9a9f2decedfb9721c42

/data/user/0/com.repeat.when/app_moral/RaWEqs.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d

/data/user/0/com.repeat.when/app_moral/RaWEqs.json

MD5 38b2d7697be2169c9bc8de9a31e31811
SHA1 7266af283a7f582370f4ad1131618ca0e45a0dbf
SHA256 4b91a9e2af8f8922409c2981eddc5b3f019aa7a200e7647641e7a1ec3fade136
SHA512 a3a97a529a605364d452a6abfd14d45c434694f853ca89bd2220a6584f9505736e70d1b4ac5a8c6744c2d4babd9567d91199dba0ed36fa345a01aad34483eeaf

/data/data/com.repeat.when/app_moral/oat/RaWEqs.json.cur.prof

MD5 5d6003791136a757c5f4aa90ef1412d1
SHA1 bbcfe8f441d4c1b3d87fbad041bbc444b6ce4852
SHA256 5ca571969af7955f12d135c087122b5b03b65fde062689065d5ec1f13756f62a
SHA512 f59469a40ffab09eb1b827ad6dddb0fd64b6e3c7f7d8ae731ad3352528cec566be0914452dcc126ed337d8aa10db6ba0d36c3efbbafe393a0976208e12f29ee4

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

136s

Command Line

com.repeat.when

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.repeat.when/app_moral/RaWEqs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.repeat.when

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 samsamcevir.cfd udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 0a57f486a30a841588aac5c3305bbd42
SHA1 269f93c08de31cdd9016243835afa99154e44e81
SHA256 e6bba1a90dc4ddd6a62e4523a52dbbb3f30a2a41d13942f94e727ec07275c9ac
SHA512 46f30ce0b36cd633ad239b6a0a476b28ae868f6a4be2c945b2836203589ee56cf1b0ca67a9dfb783d73a6a655263357319d1f15bfb8669bc8f8e0c18079a590f

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 32dfcd4b46363cf46fc3b1cd10b683cb
SHA1 ffbffaa228f9bc893dec9b824b3eec3d0ae95436
SHA256 ec3959e295cb5ce983794f5365972517b46600e7ebce5e2d6db0bbb3ce592802
SHA512 a40ca96434828481c2526111157b77c0a9cd531e1bfd39838b63c26eb669eb950878d6120f926e0bd56bdd869d456f6128bcbc03db67e9a9f2decedfb9721c42

/data/user/0/com.repeat.when/app_moral/RaWEqs.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d

/data/data/com.repeat.when/app_moral/oat/RaWEqs.json.cur.prof

MD5 7f5ae0d40634c7e05bc297f066b68687
SHA1 71993f18bab6cc62978ec8a9344b777e5de9a797
SHA256 a1ed6fd8a16361112b6b1cb36ae4832a55c791eb532bd7d111803e41f3402fb2
SHA512 f65395c4d58933e8e353436ca02ae7837a0335c5d7fae93e67e43f34521b64ea3bf845b2fc19825009be5299e36093344562d16f93689480940098a227bb1a5b

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-03 22:16

Reported

2024-12-03 22:19

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

132s

Command Line

com.repeat.when

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.repeat.when/app_moral/RaWEqs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.repeat.when

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 samsamcevir.cfd udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 0a57f486a30a841588aac5c3305bbd42
SHA1 269f93c08de31cdd9016243835afa99154e44e81
SHA256 e6bba1a90dc4ddd6a62e4523a52dbbb3f30a2a41d13942f94e727ec07275c9ac
SHA512 46f30ce0b36cd633ad239b6a0a476b28ae868f6a4be2c945b2836203589ee56cf1b0ca67a9dfb783d73a6a655263357319d1f15bfb8669bc8f8e0c18079a590f

/data/data/com.repeat.when/app_moral/RaWEqs.json

MD5 32dfcd4b46363cf46fc3b1cd10b683cb
SHA1 ffbffaa228f9bc893dec9b824b3eec3d0ae95436
SHA256 ec3959e295cb5ce983794f5365972517b46600e7ebce5e2d6db0bbb3ce592802
SHA512 a40ca96434828481c2526111157b77c0a9cd531e1bfd39838b63c26eb669eb950878d6120f926e0bd56bdd869d456f6128bcbc03db67e9a9f2decedfb9721c42

/data/user/0/com.repeat.when/app_moral/RaWEqs.json

MD5 63acf41579b5f4aecf4edc869a4b285b
SHA1 607e30f38d069c5f07f30d37af38b252cc837225
SHA256 fc616a2a7d99cef1568800fdc080bece8987ea122589b2b347b0b698207e7507
SHA512 26b17f086ab19408dc7ef2da6105e1f2ccf6add1f24b7c65499e4e75d46da3f2e2a9478c42a218e21a62f624034cfdac100900060eb653d1592292049a272f1d