Overview

overview

10

Static

static

6

ab63d402d6...04.apk

android-9-x86

10

ab63d402d6...04.apk

android-10-x64

10

ab63d402d6...04.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    19/01/2025, 22:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab63d402d65fc74eee11e03ed1a36b98c192c5b4e52634754de281db9cfdb704.apk

  • Size

    4.5MB

  • MD5

    dc1f2c17bf1f1e75b3342d94d4649cf6

  • SHA1

    09cd1e7ba65d383e537a1b650a2bfa79680531dc

  • SHA256

    ab63d402d65fc74eee11e03ed1a36b98c192c5b4e52634754de281db9cfdb704

  • SHA512

    cfced9450a7918068b4bf3b2e4f469f3fbe5290e3a3631f3ef39a7ff4131c6950df9d8a20c7af361b1568174554156b362be1df2d8523fab69241d7208c9d3e5

  • SSDEEP

    98304:WpSkWkIT6WhDmNibtSytfVMPtCibixzFOnRX/AMm:uSkAT9h42SRPtCeBIMm

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://ayfilopconbeydolcaneydozpahped.com

DES_key
1
6a77716b7163616e

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.huosycrnn.ouiqieelc
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4798

Network

  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    ayfilopconbeydolcaneydozpahped.com
    Remote address:
    1.1.1.1:53
    Request
    ayfilopconbeydolcaneydozpahped.com
    IN A
    Response
    ayfilopconbeydolcaneydozpahped.com
    IN A
    34.65.238.212
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/payload
    Remote address:
    34.65.238.212:80
    Request
    GET /payload HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:18 GMT
    content-type: application/octet-stream
    content-length: 997816
    last-modified: Sat, 21 Sep 2024 12:25:51 GMT
    etag: "66eebb4f-f39b8"
    accept-ranges: bytes
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 166
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:33 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 7503
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:34 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:40 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/storage/zip/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Remote address:
    34.65.238.212:80
    Request
    GET /storage/zip/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip HTTP/1.1
    Range: bytes=0-
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 206 Partial Content
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:41 GMT
    content-type: application/zip
    content-length: 75794179
    last-modified: Tue, 14 Jan 2025 12:22:02 GMT
    etag: "678656ea-4848703"
    content-range: bytes 0-75794178/75794179
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/mirrors
    Remote address:
    34.65.238.212:80
    Request
    GET /api/mirrors HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:18 GMT
    content-type: text/html; charset=UTF-8
    transfer-encoding: chunked
    cache-control: no-cache, private
    content-encoding: gzip
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/lock
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/lock HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 18
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:19 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:19 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:19 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/update
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/update HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 31
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:33 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:41 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.169.72
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Sun, 19 Jan 2025 22:05:33 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 22
    X-Rl: 40
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/contacts
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/contacts HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 15
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:05:34 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:00 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:01 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:20 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:21 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:44 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:06:45 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:00 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:01 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:21 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:21 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    GET
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true
    Remote address:
    34.65.238.212:80
    Request
    GET /api/v1/device/check?screen=true HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:41 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • flag-ch
    POST
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    Remote address:
    34.65.238.212:80
    Request
    POST /api/v1/device/server-log HTTP/1.1
    Authorization: 8cb84c1d0c4f8aad
    Content-Type: application/json
    charset: utf-8
    Content-Length: 124
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ayfilopconbeydolcaneydozpahped.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    server: nginx/1.18.0 (Ubuntu)
    date: Sun, 19 Jan 2025 22:07:41 GMT
    content-type: application/json
    transfer-encoding: chunked
    cache-control: no-cache, private
  • 216.239.34.223:443
    tls
    116 B
     40 B
     1
    1
  • 142.250.187.238:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    1.1kB
     4.5kB
     9
    7
  • 142.250.187.238:443
    android.apis.google.com
    tls
    2.6kB
     6.0kB
     12
    11
  • 172.217.16.238:443
    www.youtube.com
    tls
    2.0kB
     8.3kB
     16
    15
  • 142.250.187.238:443
    android.apis.google.com
    tls
    2.6kB
     6.1kB
     12
    11
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/storage/zip/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    http
    783.1kB
     52.4MB
     14531
    35978

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/payload

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device

    HTTP Response

    200

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/storage/zip/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip

    HTTP Response

    206
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.5kB
     1.8kB
     10
    8

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/mirrors

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/lock

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    2.3kB
     22.0kB
     24
    23

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/update

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 172.217.169.72:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     9
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    412 B
     600 B
     4
    3

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    2.1kB
     22.0kB
     21
    22

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/contacts

    HTTP Response

    200

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.8kB
     21.7kB
     20
    21

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.9kB
     21.7kB
     22
    21

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.8kB
     21.7kB
     21
    21

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.8kB
     21.6kB
     21
    19

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 34.65.238.212:80
    http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log
    http
    1.7kB
     21.7kB
     19
    21

    HTTP Request

    GET http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/check?screen=true

    HTTP Response

    200

    HTTP Request

    POST http://ayfilopconbeydolcaneydozpahped.com/api/v1/device/server-log

    HTTP Response

    403
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 142.250.200.46:443
    www.youtube.com
    tls
    135 B
     40 B
     2
    1
  • 142.250.179.225:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.200.33:443
    tls
    135 B
     40 B
     2
    1
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
     335 B
     1
    1

    DNS Request

    www.youtube.com

    DNS Response

    172.217.16.238
    216.58.201.110
    172.217.169.46
    142.250.187.206
    216.58.212.206
    172.217.169.78
    216.58.213.14
    142.250.187.238
    172.217.169.14
    142.250.180.14
    142.250.200.14
    142.250.179.238
    142.250.178.14
    142.250.200.46
    216.58.204.78

  • 1.1.1.1:53
    ayfilopconbeydolcaneydozpahped.com
    dns
    80 B
     96 B
     1
    1

    DNS Request

    ayfilopconbeydolcaneydozpahped.com

    DNS Response

    34.65.238.212

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.169.72

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.huosycrnn.ouiqieelc/app_apk/payload.apk
    Filesize

    974KB

    MD5

    3baeaa766ea7f31a9147208efd957c75

    SHA1

    c701de3d0e55425394ccbf8e0967639e86f3c54e

    SHA256

    75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d

    SHA512

    9f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f

    Download Submit

  • /data/user/0/com.huosycrnn.ouiqieelc/app_dex/classes.dex
    Filesize

    2.7MB

    MD5

    d27dfb63f482e471dd5d133faa1789d7

    SHA1

    a3529c823aa12d5179c9732217d5b09d157c39ff

    SHA256

    dcb1fb8e8200fcee34ae7903fea55cfaf42c16566120545554a530ef119b07d5

    SHA512

    c54d2f34333f127077845aab9b3f73fdef6ff7b3ea51ec2560ed671ed27506564d46eea02598a688e4bdd91d3c186a386d993b593a291d198808ab32d47abb22

    Download Submit

  • /data/user/0/com.huosycrnn.ouiqieelc/cache/Qg3adw2CpmSHwj59qrSgHGA9mVSkpmKkIJmNakGa.zip
    Filesize

    47.2MB

    MD5

    fae79054d796c05b09514e594af01fc7

    SHA1

    1bb4941af0ab018051484eb393c1f4af1399f013

    SHA256

    3f3f5f561bb96f082458e8f28ec7aedd21034fd1df9c418236621b13f3ecf1ff

    SHA512

    2ee1d3c1ec3c927b9702550f89173f4192deb72e1d2070edf04df5ca50f122f7a6df921277fc267cd06211321fd13151d75c698dac0f39f7591970958599f454

    Download Submit

  • /data/user/0/com.huosycrnn.ouiqieelc/cache/classes.dex
    Filesize

    1.3MB

    MD5

    d39dd91ec0dd37d1cfae982bf44c41bf

    SHA1

    1cc31435da5589f8715e5197e1c02acf23718281

    SHA256

    69b7cdb3cb607a803443eb938a7911148beee2798517c3f7d74b15d05cf23246

    SHA512

    35465aa0716d4de7ff6aadd8a9335c0611c6100613eda7a90cc044ae086aaeb08ce7dbf8da896ed3b7f979888dfe7fff79d191b526d39a2f90238454c1cdf94e

    Download Submit

  • /data/user/0/com.huosycrnn.ouiqieelc/cache/classes.zip
    Filesize

    1.3MB

    MD5

    fe5c0672b8fbdc3ca0fd3f7c2d23a234

    SHA1

    bc7d900a830a432a4fc3ac507144986d4b7456ab

    SHA256

    16d36e2638223234cc0d2de9a38985d39c49f3f281b1bb00d635eb77b2ec3ad1

    SHA512

    17538d042921c438e2b58bc89baed6a0f36bb2e717a133861605377ab7415ee8c17c8863fc4cd48f5197bb31d45ee3fa1f92ca3f8efe54dce36e110dcf9df930

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.