Overview

overview

10

Static

static

6

ab63d402d6...04.apk

android-9-x86

10

ab63d402d6...04.apk

android-10-x64

10

ab63d402d6...04.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    19-01-2025 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab63d402d65fc74eee11e03ed1a36b98c192c5b4e52634754de281db9cfdb704.apk

  • Size

    4.5MB

  • MD5

    dc1f2c17bf1f1e75b3342d94d4649cf6

  • SHA1

    09cd1e7ba65d383e537a1b650a2bfa79680531dc

  • SHA256

    ab63d402d65fc74eee11e03ed1a36b98c192c5b4e52634754de281db9cfdb704

  • SHA512

    cfced9450a7918068b4bf3b2e4f469f3fbe5290e3a3631f3ef39a7ff4131c6950df9d8a20c7af361b1568174554156b362be1df2d8523fab69241d7208c9d3e5

  • SSDEEP

    98304:WpSkWkIT6WhDmNibtSytfVMPtCibixzFOnRX/AMm:uSkAT9h42SRPtCeBIMm

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ayfilopconbeydolcaneydozpahped.com

DES_key

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.huosycrnn.ouiqieelc
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4408
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.huosycrnn.ouiqieelc/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.huosycrnn.ouiqieelc/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4436

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.huosycrnn.ouiqieelc/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/data/com.huosycrnn.ouiqieelc/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    d27dfb63f482e471dd5d133faa1789d7

    SHA1

    a3529c823aa12d5179c9732217d5b09d157c39ff

    SHA256

    dcb1fb8e8200fcee34ae7903fea55cfaf42c16566120545554a530ef119b07d5

    SHA512

    c54d2f34333f127077845aab9b3f73fdef6ff7b3ea51ec2560ed671ed27506564d46eea02598a688e4bdd91d3c186a386d993b593a291d198808ab32d47abb22

    Download Submit

  • /data/data/com.huosycrnn.ouiqieelc/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Filesize

    26.1MB

    MD5

    b0a178323dcd24d1c1f05af84dde2153

    SHA1

    a91ad48f5c706d2f9ba35a29069cf64d43637903

    SHA256

    6fdef4a31ff3404eacce81047c380d3a48e9d81c13732f0525f1a18dfa8fbfac

    SHA512

    3ae2c85f0981a46891eee90ca5be69ae15abf8f3a6c65d361ad31b59c2e708e0a2b79174d1a69073982ee7ec35a537cb3883a2e68719f286b1cd4094e25a7397

    Download Submit

  • /data/data/com.huosycrnn.ouiqieelc/cache/classes.dex
    Filesize

    1.3MB

    MD5

    d39dd91ec0dd37d1cfae982bf44c41bf

    SHA1

    1cc31435da5589f8715e5197e1c02acf23718281

    SHA256

    69b7cdb3cb607a803443eb938a7911148beee2798517c3f7d74b15d05cf23246

    SHA512

    35465aa0716d4de7ff6aadd8a9335c0611c6100613eda7a90cc044ae086aaeb08ce7dbf8da896ed3b7f979888dfe7fff79d191b526d39a2f90238454c1cdf94e

    Download Submit

  • /data/data/com.huosycrnn.ouiqieelc/cache/classes.zip
    Filesize

    1.3MB

    MD5

    fe5c0672b8fbdc3ca0fd3f7c2d23a234

    SHA1

    bc7d900a830a432a4fc3ac507144986d4b7456ab

    SHA256

    16d36e2638223234cc0d2de9a38985d39c49f3f281b1bb00d635eb77b2ec3ad1

    SHA512

    17538d042921c438e2b58bc89baed6a0f36bb2e717a133861605377ab7415ee8c17c8863fc4cd48f5197bb31d45ee3fa1f92ca3f8efe54dce36e110dcf9df930

    Download Submit

  • /data/user/0/com.huosycrnn.ouiqieelc/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    6b2b81a642093c47053efab1d0bed1bd

    SHA1

    460c94a557c58d0908fb1aadb5bfb27b4d390d39

    SHA256

    d5aff343cd49b635d8ff03737508f6f0309f9b1bdba8ef3257aa23f1877c4bb7

    SHA512

    aa0da2280a1c23baf3d78b2e58c2bfbea8aa75938378d3799e9a781ed545978c3703188d9d44e77a5f3a7cc187b92fd6f51f90abab2df012140ec6910e91af43

    Download Submit