Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
16/02/2025, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
836f868f699bd6a50a30b5bb844bb1319bf2517864156c08ece5573e20f9bba7.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
836f868f699bd6a50a30b5bb844bb1319bf2517864156c08ece5573e20f9bba7.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
836f868f699bd6a50a30b5bb844bb1319bf2517864156c08ece5573e20f9bba7.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
836f868f699bd6a50a30b5bb844bb1319bf2517864156c08ece5573e20f9bba7.apk
-
Size
4.7MB
-
MD5
0bb155911c45abed867ffe361cb6a532
-
SHA1
eee5da6abdaa1ad0b4317653a768f3b6ed0fa85c
-
SHA256
836f868f699bd6a50a30b5bb844bb1319bf2517864156c08ece5573e20f9bba7
-
SHA512
52fd8863366bbc0609a8bbee4d621c83f847faae5c2a096d9c1fac92a5d7c6aea0fa26fb354ae6c4f85fa37b93c3d1240e9c33dfa19992d296fc7e5f0e6212bf
-
SSDEEP
98304:YODhMcJbpQJ3W7uhCXrB+d0BDwTphuBPM7fc6JphNwhYPsckiV/A9:rMcJuJGi0Xt+d+wTphAE7fc6JPShUsP7
Malware Config
Extracted
hydra
http://1231254123-123d34123-xzccv-1sasdqwe-123cvbe-dqwed.org
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 4 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_hydra1 behavioral1/files/fstream-3.dat family_hydra2 behavioral1/memory/4256-1.dex family_hydra1 behavioral1/memory/4256-1.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/classes.dex 4256 com.slghlhrpc.cmkpzbrrb /data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/classes.dex 4282 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/classes.dex 4256 com.slghlhrpc.cmkpzbrrb -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.slghlhrpc.cmkpzbrrb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.slghlhrpc.cmkpzbrrb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.slghlhrpc.cmkpzbrrb -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.slghlhrpc.cmkpzbrrb -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.slghlhrpc.cmkpzbrrb -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.slghlhrpc.cmkpzbrrb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.slghlhrpc.cmkpzbrrb -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.slghlhrpc.cmkpzbrrb
Processes
-
com.slghlhrpc.cmkpzbrrb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4256 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.slghlhrpc.cmkpzbrrb/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4282
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
974KB
MD53baeaa766ea7f31a9147208efd957c75
SHA1c701de3d0e55425394ccbf8e0967639e86f3c54e
SHA25675e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
SHA5129f3ccb1fc9a177524ba2d39f809be4851af385073463893bd4a8664308253fc0da2b9ab330c85675dbe9ce0c44b631a0d1ec7800491687c7b2540504b351295f
-
Filesize
2.2MB
MD5fedce253449026c0a0a7939bc75e1dfa
SHA10ed258e4a2d472df79daab28304d044dd3f05f70
SHA2565e0f51bbb9a2710b3d390039432d09dbead903f97235bb1b7da175d415bac58f
SHA512f5c1f0c90b125d228cadee2f9a68cefff06cfcd1c8967b6652d285313a65e16f4551b6923a146cc2b9304d31f7ce851fd75cde0314cdd9dfd4324191092a31e8
-
Filesize
972KB
MD5d78a540a95142b8f5e90a884e69d7ece
SHA1fa39f09ec36fc44c7b54ab028dabd255726bdc14
SHA256c0547d6e35514c01807a4479b8f013cb6767105c4ce71024bb5a9aa5e278fa7d
SHA5121e811d7730d2cc59f0112e738951ce72267030586bf994b021126745e066814291ca4dd91cba3802100ca7236afd4692704c9e214ce9268a40368761f934dcd7
-
Filesize
973KB
MD5eec9133041583c8e603c60374ab73703
SHA1a8592d4b71ef3036fb30571c45c7eed4cfdeb83a
SHA256e6498e08914e2e5d1e4b57cc88b8a01746ec22629cfc1f148ac962b53e5a7f33
SHA51288e9c47f068b90b9a646bc5697c812caa86cccdbabea4c3f81da195922575274511f05c7bef912987819e0bfe5b4d06c69b0fd41505650f1c32cdfb8b8f4792f
-
Filesize
12.5MB
MD566f90e955cd2af84e742d5abb37f7aca
SHA1edea88caad235bdf34890fa229aa65987b10080f
SHA25649f796c441afdfb7802ba73e20a0487f267253f8f83f3eb27124c87c39172cc9
SHA512430564e039734d063e4d43cfe046828f66ed097e57d0915f92fb865ddf708323b8b424a4e3733115c050c18af348b8ab464ec74e71dc33974c8bd33dfeecb702
-
Filesize
6.9MB
MD5df8518dccb6032ffe42ac8d6cdd88f01
SHA10a11a8c01e0786232ac4040478633d55565da2f8
SHA25669251938236365c4978f822a38e3000807bb211404f37e0e8b81f7dfff8529ea
SHA512e743f523cbb77d604eac6e30dc936f2f1284779bee3f18cbba1869973577a27318d7d512061637162aad6f21bb0c93f9093203c85b7982f5ebd55abe646cae81
-
Filesize
2.2MB
MD5b0c33ee21363c9c941adeaf51eb6abb7
SHA186c47ab19537ff5235619913ce55d2a990208221
SHA256ac40bf6c4a25d9dc113bcac68f9629ec3e2d6543b75f6ddae90a6badc190e790
SHA512f1e24d473aae9b695fb6e5378272f6764d3417eda7757d942d34a93f3f2f25774d37af1ecadbd1528adeb7cff15861b459850ae879f5163f9e4a068b8868f267