Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
15/02/2025, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851.apk
-
Size
4.7MB
-
MD5
25fbb322f1a3741120d51148c0d8860a
-
SHA1
f17a8eb7e6061924ce6e89584ffd833637d3fd92
-
SHA256
9ea7a3c46964675fcc4a62ebc75fb2fa9b6bc823b178ceb30de855d65b3fc851
-
SHA512
d349c30dd0f80a9c22c47aa12fc8336601d594c10b9c4c35d36b4668e30f658c4af3c548e14e01b23135bc680e2d6c2a30addf227d5daa6e39f6d6988e077c6e
-
SSDEEP
98304:2Inf/Yu4kOkYyRQQICL58Uw5q+Ys7je3eUIukTTW:9f/eyiQICL5nwc+Y2jSvIukXW
Malware Config
Extracted
hydra
http://12123-123dcvmolded1235asd123sd-123dvas-we12c-21.org
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_hydra1 behavioral2/files/fstream-3.dat family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex 5062 com.okxlqdryc.pxgkfiwph /data/user/0/com.okxlqdryc.pxgkfiwph/app_dex/classes.dex 5062 com.okxlqdryc.pxgkfiwph -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.okxlqdryc.pxgkfiwph Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.okxlqdryc.pxgkfiwph -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.okxlqdryc.pxgkfiwph -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.okxlqdryc.pxgkfiwph -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.okxlqdryc.pxgkfiwph -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.okxlqdryc.pxgkfiwph -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.okxlqdryc.pxgkfiwph -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.okxlqdryc.pxgkfiwph
Processes
-
com.okxlqdryc.pxgkfiwph1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5062
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
2.2MB
MD5b08d83e397785ca278e39165065fa192
SHA11590dfa3a6bf452c238f154770dbb8ba5d82c1f6
SHA2569c826c239e05f8de4a433358a489c2395b2a542f0e66f3935f19f07c61cc9f2d
SHA512eee30f46e77704779e3196213ac7c55fadec0dc0c9f37f07d4d862f52a146edc1b3b3379422ee9588fa3ca0192c91739e6a0d8effc9eaa8471771a9e34e479e0
-
Filesize
972KB
MD532a863157ad736551a4e114247853197
SHA13b747b452123e7abbfe496fd156d276d8b7564d1
SHA256a66e7ea86993a7fc91167aae224b6a761f4e6d3ad7045fcc9a3ceb36446f31d3
SHA51218c840b6c25baf6ae05e861d06d930b6b34beb496100edfcb9f053232ba7afd0d988981ce47d41eb046491bee1a9cbabc65e9a3328e81ea94e57e0e67250ebf9
-
Filesize
973KB
MD5e0e1ebb488ae613b086829ab340bcf07
SHA1b10a38a45ef07f3b93c54d950cb9657a22043ed8
SHA256c1bc7b83d5362ef1886eb365589ae408200edf679413cf48016a3954b4ad6de1
SHA51238e7cdbdc413b2b804af19798aa2463db0ff9ffc4828553409fa01899a003a96b2b177840c83141b259bb68b62cc181ee9710b172ca0a7a5d4c96968bfabb8b2
-
Filesize
798KB
MD5d98591f727d90d5fcb6041edcc5bd000
SHA1ab22787c6396e7b9e89dd823c8ec4b6b56df707a
SHA25611bcf95d44e85aa89d5523061ee959f9f6f979de687d615eee4126468cd19247
SHA512364663b3b248ab1856f422f4fa42fb21f58caa45d8e6756dab6fa46aaf04e979f5581f7561d223c04b89f2468a685c7478668f8466226cff94926e34269d4390
-
Filesize
54KB
MD571365a4a4241c1b1cc5dcb548f731c57
SHA13ba93fa1ee733274c4d2c438057f2dd50c36201e
SHA256b3b0cc73b755da20f3dc99ddf0b4bfe3aab520252a06b53901f88fd4605beb56
SHA512b48195367158730ea14c52fa1530ea5f9db2257b05ca5ffa90011f244d1978d3ff95ddfe41267b32d1187fce29ba487a5ab783762e73b1918e12236bce51efe1
-
Filesize
77KB
MD545987daf8c89d7bd547a954ecebe2197
SHA1c85d431f33dfcf3a39373eb3ffe5706c6d58f6fe
SHA256188b54ee21c2f6bb860b4c5f3897653256febe74f720e0e05a699ce955407472
SHA512b48d5a39bb0778e0bd56f70d2dfa6d0e5d79c98c42c657ad8dd3a46aa1a3808de693282016d7ade353a358a70403cf338c51c725e68ea6dd49057cd10b320b1e
-
Filesize
507KB
MD540b27ecfa0bc4588406b574cf15857e6
SHA1b7ac174aed7c5a61d9f06056fef470ed459c2d35
SHA256d76eae25954262ad153bceffd462ad3980d1295ba24abd7b32fa85f0dd78a591
SHA5126fb5ff00154e885a0588886cb6977b9a2351d590b9c32e10106f27b0c98acaa3474cab2e00ef8a5700399db19e3ef9528e2f5d067ae382fc177bc32fc6813dd8