hydra | 2b305310db25d5ac714d4e5df898fa336e0bb3b86039b42ea37762f00956b3ff | Triage

Analysis

max time kernel
149s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
04/12/2024, 16:52 UTC

Sharing

Report Analysis Logs

General

Target

c37ae32cd4bcce93797535082e2080a2_JaffaCakes118.apk
Size

3.0MB
MD5

c37ae32cd4bcce93797535082e2080a2
SHA1

ae84294f83e45c8a9180cb6a0e658181fdee62fc
SHA256

2b305310db25d5ac714d4e5df898fa336e0bb3b86039b42ea37762f00956b3ff
SHA512

6b1005ce7b3749d94126be73e926bfea988a3961a95a493bb879e3efaea93b62936a13589c063601fda32cc1403b0b9639661dfe7183bb395c6d23c431f6506e
SSDEEP

49152:4MZfhiOsnVv0VdpuowM1EqMz3KDH8ZEesJfZhANAZdo5R0fe5Cn5z5Fa/SPxAqw5:4Qf9aVv0Vd8JQMmDcZsfZhu6o5K44rFq

Score

10^/10

hydra banker collection credential_access discovery evasion infostealer trojan

Malware Config

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra
Hydra family
hydra

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip	4510	com.wefccxit.cbhxpgr

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wefccxit.cbhxpgr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wefccxit.cbhxpgr

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Queries information about active data network 1 TTPs 1 IoCs

System Network Connections Discovery

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.wefccxit.cbhxpgr

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wefccxit.cbhxpgr

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.wefccxit.cbhxpgr
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4510

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.178.14
DNS

gist.githubusercontent.com

Remote address:

1.1.1.1:53

Request

gist.githubusercontent.com

IN A

Response

gist.githubusercontent.com

IN A

185.199.108.133

gist.githubusercontent.com

IN A

185.199.109.133

gist.githubusercontent.com

IN A

185.199.111.133

gist.githubusercontent.com

IN A

185.199.110.133
GET

https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

Remote address:

185.199.108.133:443

Request

GET /raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json HTTP/1.1
Authorization: 26a1b1020753576f
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: gist.githubusercontent.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 404 Not Found

Connection: keep-alive
Content-Length: 14
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8
X-GitHub-Request-Id: 3381:1342C9:1B6FEA:206095:675088F2
Accept-Ranges: bytes
Date: Wed, 04 Dec 2024 16:53:06 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420124-LON
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1733331186.450664,VS0,VE109
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 893745d7fd84e513614c41681a6a3d272497a988
Expires: Wed, 04 Dec 2024 16:58:06 GMT
Source-Age: 0
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

142.250.179.232
DNS

ip-api.com

Remote address:

1.1.1.1:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Authorization: 26a1b1020753576f
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: ip-api.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Wed, 04 Dec 2024 16:53:16 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

142.250.187.206:443

tls, https

1.5kB
40 B
1
1
142.250.187.206:443

tls, https

1.5kB
40 B
1
1
142.250.178.14:443

android.apis.google.com

tls

5.6kB
8.7kB
23
23
185.199.108.133:443

https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

tls, http

1.5kB
5.9kB
12
12

HTTP Request

GET https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

HTTP Response

404
142.250.179.232:443

ssl.google-analytics.com

tls

1.3kB
6.2kB
9
8
208.95.112.1:80

http://ip-api.com/json

http

452 B
640 B
5
4

HTTP Request

GET http://ip-api.com/json

HTTP Response

200
142.250.187.228:443

tls, https

847 B
40 B
2
1
142.250.187.228:443

www.google.com

tls

11.0kB
10.2kB
28
35

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.178.14
1.1.1.1:53

gist.githubusercontent.com

dns

72 B
136 B
1
1

DNS Request

gist.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.111.133

185.199.110.133
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

142.250.179.232
1.1.1.1:53

ip-api.com

dns

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
902KB

MD5
bfdaf3784d3f7487759eaaed9042907a

SHA1
84778b47fb7d80253785530b3aaef4a11ddcb8c6

SHA256
1eaaf545b99745477d09f03b96a043b885a742c7d850136117337054b9673e2a

SHA512
7fba3a01105a55510457e9910af3b7368b36551d1474914e8bc88e39504cfb2fd8ff7ef42c6fc0762aba9cf8bfec3ddf82ef01bc62d7b029a8114f2f4117b646

Download Submit
/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/tmp-base.apk.classes2840182326076045177.zip

Filesize
378KB

MD5
051babff27f407292fe1d8a5976780aa

SHA1
02f1814a3654684e0bf82abdd5275e1dadb2e3a1

SHA256
47cc42df8062022f5576169758085ba166008827cd08a063cd4f6ecd63f6fbf8

SHA512
e4e452d30ac6cf215bc2ca157f150547d684d49d27ceda9293387adc420441aac3d3e0a10efe25870328e705a14d7ce55df797c941e694a68194faecea6dcbf9

Download Submit