Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
27/01/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981.apk
-
Size
2.6MB
-
MD5
b153a2b2637a2344be8aed6e15cc5860
-
SHA1
4557c7ef5561fc397b0cc7144d640e60d00b49c4
-
SHA256
5487ee6a115d22ebb62ca821c1db8cc12d9275060cd730a7fdaea0655196a981
-
SHA512
cd415034ec193a0b0ccd633c15fa05740e655efeaa2cc48b4bcd2a55d42a211ae6f051d226311a299b3c236191da9e03357cc28948a5d6334882905c3b40abc4
-
SSDEEP
49152:L5llCCdTUD1SzzfewA+aaf0y5F1voCE8EIK8kq1c0NTg8RbsbHfREj1m3:1JkkzfewrR0y5F1gCdBK89c0Nk85sTRX
Malware Config
Extracted
hydra
http://fhuiooedjefjheeffemensb.info
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 2 IoCs
resource yara_rule behavioral3/memory/4636-0.dex family_hydra1 behavioral3/memory/4636-0.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.elegant.sun/app_DynamicOptDex/IIrjgo.json 4636 com.elegant.sun -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.elegant.sun Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.elegant.sun -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.elegant.sun -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.elegant.sun -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.elegant.sun -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.elegant.sun -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.elegant.sun -
Reads information about phone network operator. 1 TTPs
Processes
-
com.elegant.sun1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4636
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
973KB
MD5cd2c9ab4a4f8990a544e968baf7e2f78
SHA11d84fd4aaff60452d80e00020bba561a305be352
SHA2568d62796c2adf0aa398004a24dc9ea3ec09b7dc31146d39fadaaa9da932d6082a
SHA512da612f7a975bf2a45b443544193fa0fa3ec954766f6aea47bcc294d8bdacc7f04434bb9abee152ad0dcf9233f6d38c7e02e096b65ada7dc4815fd167a89fd64f
-
Filesize
973KB
MD57379b152c196ac52d19c6524c3c9977d
SHA13b2410490349af6bf913abc1d8ea52dc8540364d
SHA256b7905edd6e3abe8603470bd80d513948b52b3ad47e660429ec9bbaf6a5ed0403
SHA51203c17a5205a7b7c86062c74474f89e758f9f9d2937c6bdf96da250cd88e0fd8686c92d08632efe77311eda81d1da5df9d5c8807a92c8faaf53319cf66d6d7c2f
-
Filesize
2.2MB
MD579eb4f3b5cb1f3904e1194bbf01dbf35
SHA17fbaa74fd34ddd46b7dc8720202fdb6a528dfa3d
SHA25648c87efccfa989b06ff911cdb633479399f0bbfb0eea4e2c7e94f0a1785b5a89
SHA5128a829594119eecc5990fafdd1733d1b86c62726b9830049d453813b642d5480163886a5437d71c860afa4a4cfd8f10d7c5c61e6856b4222366f1106bd32fcc69
-
Filesize
1KB
MD530c659815f55bed4f40419ae3c54f7c4
SHA10e5ca377210ace3817e11d105e9e6be901382411
SHA2569106199343ea04a310f9eb35359d110ef65cecffc14e8a7767de7bab504f75a8
SHA51203ed4f00f79e257cbbca353765e89e61f9b9a4712aff8f2ad214a2afb83cf2b445c7326fd187f251ff0d653f079910af73d2a56e6b16006734e52270d3eae1f4