Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

eBayMobile.apk

android-9-x86

10

Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    08/01/2025, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eBayMobile.apk

  • Size

    2.8MB

  • MD5

    d1a68785559ae6b0049a2bd1798277a1

  • SHA1

    8ea0706e77e57810ff1bc9073f3701772f032557

  • SHA256

    8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430

  • SHA512

    b4c676c19dedf7b582598bc8bc9d3bf260b3847564d7da755cf9e694abdf2ad3555da526b7ff847dcbddf75b9d1183924a29078d181b313fcec18c8b5349637a

  • SSDEEP

    49152:Ucz4N3omNn0M+CGN3SPXLD8S/obeUQGkfC1T3Eb0KizuNAGq6BXk2M:LrmR0vCSC/robeZGkfk0xA1XX

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

hydra

C2

http://lalabanda.com

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 22 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.wife.dizzy
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wife.dizzy/app_DynamicOptDex/KCFj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wife.dizzy/app_DynamicOptDex/oat/x86/KCFj.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4292

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wife.dizzy/app_DynamicOptDex/KCFj.json
    Filesize

    1.3MB

    MD5

    f84f5fda1df953a8fbe24c17bacdf3ae

    SHA1

    044b7ca9f5988e175bea21312e81043aa17c9027

    SHA256

    e31d73a78d821a4ee86e55c77432c3c52ef01a8cb7be18fda83faf50772f7ffa

    SHA512

    0fb2a6900c79f673df5089ead0bfbbff7582cd17c0094cff3c90cfab2e2f64eb3b1d0ceebb70f6df113b7a68ae13e837477a3e9512efa33530901ccff52bbfd7

    Download Submit

  • /data/data/com.wife.dizzy/app_DynamicOptDex/KCFj.json
    Filesize

    1.3MB

    MD5

    9b4f8f8895a6e4ccfb5a1b2e0279c3f6

    SHA1

    6ec87b70d5fcc55f9e9fcd8cb9407d721f7a6068

    SHA256

    fd87c4f7c8ece0448dab67a0b689c4a417a153081059750295fbed29a1422b03

    SHA512

    e9049874ccb34af36b6a6837771867532ed0d73b02117de2d3f9908ed96f9c118ff0922702b6b3bd55dba90bac4e335aa7f5769c5c21ac49582a0c5551b5b408

    Download Submit

  • /data/data/com.wife.dizzy/app_DynamicOptDex/oat/KCFj.json.cur.prof
    Filesize

    1KB

    MD5

    32d37fe861b3df02acf5d0428b375ddd

    SHA1

    991c63fcbed111cbc0b6d7a37f54aa429c6d0ddb

    SHA256

    9319e08bd04931ca7cbfd3d04511d626a983787c87423417395ca7703e6a0084

    SHA512

    077a7387028d5a10a9e3668cc4ec703f9be594e0e7a4d73ce123bcc8b2ba926510e16a4f1989b375a6a361eb46a102398d131f8ee9442b07cbe829d5da25f084

    Download Submit

  • /data/data/com.wife.dizzy/app_DynamicOptDex/oat/KCFj.json.cur.prof
    Filesize

    1KB

    MD5

    3c49754fa1edf5dac09d33890696dea4

    SHA1

    4c7093a9bf5eac253302191e714099cfa09986a8

    SHA256

    5c7a685ee48fb474bee2079e133afc4e85e0c53e9fca3a5d3079a07b1ccdbea7

    SHA512

    a52a75762e7a7294cb312303e0c0f05f436bf57bbf53f8865c96fcbb730a0732d742137d88c6696e8fa9dd8bbcb7ddfbbe51d62825de8b6e111172887bbaacce

    Download Submit

  • /data/user/0/com.wife.dizzy/app_DynamicOptDex/KCFj.json
    Filesize

    3.6MB

    MD5

    75c36afec3c816acf958b039db4065f4

    SHA1

    e16d47dc4c597a5b13fed920f367789262ad0162

    SHA256

    5e5698bbd30997a749fa6e342d8381e042be60c70686fab7f59b151909c39a99

    SHA512

    eede6c3acb863e7172569fa0814aa65b3c1aac71a46adc4b14f0106de6f63a283b588704b1199ecd0a49321898f745ec9600070d681cff8c4af43b26f6997c5d

    Download Submit

  • /data/user/0/com.wife.dizzy/app_DynamicOptDex/KCFj.json
    Filesize

    3.6MB

    MD5

    7135f1564d788d4f037d1fce183fb480

    SHA1

    d0b34f23799c14770a8b5fc1f1a1d81697bb6f53

    SHA256

    df7bbead42e925c5b6b349c89c5fa85b8dbd113317acf05fed32243b4827f6b3

    SHA512

    d4ad950737096138a221850f58180962b5a29e81b4b6866f041f2ca7d3b0d03a2262ce7e081eb71c72d28c057e760521bb986136729be506b934f44ec04ebea2

    Download Submit