Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    296s
  • max time network
    301s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    19/02/2025, 12:43

General

  • Target

    9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d.apk

  • Size

    2.4MB

  • MD5

    b11e72c94d810958df65d8716d853bc3

  • SHA1

    606a5eaf439586fc316a3befc85431091bfa786e

  • SHA256

    9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d

  • SHA512

    c18853c87af0198a0d19d097e1f83e0044d32b3d676a23dd0cd132499d098a951d31777153e6c6e9f9710b3fc28e74129173fc90b6c7ab2711a34a84ff5b98c5

  • SSDEEP

    49152:ZxkyYHERA1iUZXObVbVIrobX57/prbB5Wk4HMIyzNZ60/KrYvTD0iXXYMZ04YKx:ZxkyYke1iiYbe0L57/ZjWJHMIyxwQKs3

Malware Config

Extracted

Family

hydra

C2

https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.scare.obscure
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4929

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.scare.obscure/app_DynamicOptDex/Yy.json

    Filesize

    573KB

    MD5

    dbdafc6c18b0b6f9a9c0252ed395c740

    SHA1

    d48bf669f240932e78fdb5f5d5696327af7dff72

    SHA256

    598ac88704fe5dc9707c34228de82bf1ea7805cfc4ca81427958694835cbb19a

    SHA512

    96fdec46f2c5cfae40fc636dbf0ae4ccf4b289d5b6aaaa194df287b9c52685dc56478bf9f3f7274873e06a6ee3e4ff6a67aaaef920f0f0d1f7f05010b7bf5ea9

  • /data/data/com.scare.obscure/app_DynamicOptDex/Yy.json

    Filesize

    573KB

    MD5

    1e11861994b5b31e4c58c224eef13532

    SHA1

    1f283ac3c312401df111388d1c295a975adc37f8

    SHA256

    75491e51cbe3aff4632b5ade80f77ce14b0ccdff422ff3c457dd5552e9693697

    SHA512

    3543ab0858bc0ab478c35c28d419866d556c1e5cc081416ed03ceb8f601bc99f65a97c6c537cb501b26fa3bd09a3e3d813f926df46a3f886616e40d8683717c0

  • /data/data/com.scare.obscure/app_DynamicOptDex/oat/Yy.json.cur.prof

    Filesize

    1KB

    MD5

    1e2b7a17210d9edc8438b480002866f0

    SHA1

    3d4d3faebf83511e410ab431aef14d392a1bff45

    SHA256

    d7c2d1eab31c35548e0a538b3d25eee2492eaf88c5be9a58459b8887ec67ab12

    SHA512

    c229107e680a0e1ce6c4b9f4631f456421f948529e64e14279ca53bbab7461b566a2a6b232a7cc27934277296307106034211068eeeea94b93094af22c7f5f66