Overview

overview

10

Static

static

6

aac1bae1b4...cd.apk

android-9-x86

10

aac1bae1b4...cd.apk

android-10-x64

10

aac1bae1b4...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    06-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd.apk

  • Size

    2.3MB

  • MD5

    eeda23083fcd9fdf7e6d94d92c361885

  • SHA1

    01bcc19e2d32820f7ab6ecd7b7efafcfcd49a385

  • SHA256

    aac1bae1b4c5eef4e2f72f69275e39cc9a188caf018678203ccedcc61d42adcd

  • SHA512

    002c4dbda30f062b41629795b904317a53285c43bb748d8d441d4e6f37a89870c7f5135311bcc36e4d9cf6931a99bf2d8e41ae22bba07f0b7718294efd239119

  • SSDEEP

    49152:/g94VLt8nzIhYLPVW2ldtBZ9QACx31+pe5yoGYbF4rFXPFGFle1KtKHgH1k:BtxhYLNW2TtBZ9+x3Ype5yoGAWdPilVK

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://phoneyuklakerd.cfd

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.celery.vanish
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4273
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.celery.vanish/app_anxiety/oat/x86/HReTXMy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.celery.vanish/app_anxiety/HReTXMy.json
    Filesize

    967KB

    MD5

    bb8d474d9635a4ca515063215f7f3567

    SHA1

    685ee82360384324b08ca0bd4f4d4626ad69bbd3

    SHA256

    48f7a3561018bd010787f981087505bc0a451b97050e395a7ceb3527bb95616a

    SHA512

    53a36ff2079adb7b21be6a119a3d42f68f243e3faedfb408dd9e1d79e9f4d3e27e9bca444f6c4f081dc691e91425166cac5aba3b784be13e0d568f6fe4cad48b

    Download Submit

  • /data/data/com.celery.vanish/app_anxiety/HReTXMy.json
    Filesize

    967KB

    MD5

    521f1bc44531bd633d2d24943b29a316

    SHA1

    84333eb49b551102137d70a721c092fb4f010e05

    SHA256

    966b37de92212ef1ec7980040e95fd39f86cadcfe81f995bf4ed3cd5250cc3b9

    SHA512

    16a32eabf47f57479409939316efe2c8b7d5bcc265fa711d01e14b540fb778f1dcc5a7db4c4df66eac373bb785df587fc24b1aca51b630aa3b8252db58232e89

    Download Submit

  • /data/data/com.celery.vanish/app_anxiety/oat/HReTXMy.json.cur.prof
    Filesize

    1KB

    MD5

    7e89e5841f7008409deed719e7415148

    SHA1

    07a0fe8edb62f6ecbeb112b6fce004943f89bd59

    SHA256

    353acc4de3a07c81e3e0d6d59374af78aae5d2f34146b92c3afe43e11227e048

    SHA512

    5ac82c14446fd07334fa4d7f519d5ce40f8b0244f6aff0b3b3e2d507c2b591a276c0145128bdaea914be3ef7cf632dcd3ab5243c0038189b721f724678da6a89

    Download Submit

  • /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json
    Filesize

    2.2MB

    MD5

    6ea9d5e91ff91f6c34637f0171d41952

    SHA1

    6b7ea9542d5aadd2a4486859e538ef05b312019c

    SHA256

    46ddd9a3610b025a53b4720972acdd10277c29d17a3fef4af51ba84d1641e257

    SHA512

    8cf0ce23c6b1eb4633a05cc01cc1bc837ba7894d152cba27d0bf3fcb6f6e55e594a8c4e7da1d70951c9b69a8beb869abc6e4cc9a6e0f4729050ac1dae0025c07

    Download Submit

  • /data/user/0/com.celery.vanish/app_anxiety/HReTXMy.json
    Filesize

    2.2MB

    MD5

    6e559249a77b664e5ef3f463f9047df0

    SHA1

    ac827840ffb40b9d7245f8bf3d3f9559f87ddc74

    SHA256

    d2097306981d565fcafa4cd41ccec8f06c84863fcaf5c0b75eb819a072fd646a

    SHA512

    438fc8e28f168373a844f7c01105573a9eda4537a76a91aaf9d8105c6e28212bf0e909a0d54f958d1d27f186cd9b051be799172190c75f373c3fc172f621ff36

    Download Submit