hydra | 9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d

General

Target

9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d.apk
Size

2.4MB
MD5

b11e72c94d810958df65d8716d853bc3
SHA1

606a5eaf439586fc316a3befc85431091bfa786e
SHA256

9ec93f30a4d4c404687abd67f4aeb19d2f50b16c7662e41aba8f86a5407ba14d
SHA512

c18853c87af0198a0d19d097e1f83e0044d32b3d676a23dd0cd132499d098a951d31777153e6c6e9f9710b3fc28e74129173fc90b6c7ab2711a34a84ff5b98c5
SSDEEP

49152:ZxkyYHERA1iUZXObVbVIrobX57/prbB5Wk4HMIyzNZ60/KrYvTD0iXXYMZ04YKx:ZxkyYke1iiYbe0L57/ZjWJHMIyxwQKs3

Score

10^/10

hydra banker collection credential_access defense_evasion discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

hydra

C2

https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json

Signatures

Hydra
Android banker and info stealer.
banker trojan infostealer hydra
Hydra family
hydra

Hydra payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_hydra1

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.scare.obscure/app_DynamicOptDex/Yy.json	4929	com.scare.obscure
/data/user/0/com.scare.obscure/app_DynamicOptDex/Yy.json	4929	com.scare.obscure

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.scare.obscure
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.scare.obscure
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.scare.obscure

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.scare.obscure
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.scare.obscure

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.scare.obscure

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.scare.obscure

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.scare.obscure

com.scare.obscure
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4929

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.scare.obscure/app_DynamicOptDex/Yy.json

Filesize
573KB

MD5
dbdafc6c18b0b6f9a9c0252ed395c740

SHA1
d48bf669f240932e78fdb5f5d5696327af7dff72

SHA256
598ac88704fe5dc9707c34228de82bf1ea7805cfc4ca81427958694835cbb19a

SHA512
96fdec46f2c5cfae40fc636dbf0ae4ccf4b289d5b6aaaa194df287b9c52685dc56478bf9f3f7274873e06a6ee3e4ff6a67aaaef920f0f0d1f7f05010b7bf5ea9

Download Submit
/data/data/com.scare.obscure/app_DynamicOptDex/Yy.json

Filesize
573KB

MD5
1e11861994b5b31e4c58c224eef13532

SHA1
1f283ac3c312401df111388d1c295a975adc37f8

SHA256
75491e51cbe3aff4632b5ade80f77ce14b0ccdff422ff3c457dd5552e9693697

SHA512
3543ab0858bc0ab478c35c28d419866d556c1e5cc081416ed03ceb8f601bc99f65a97c6c537cb501b26fa3bd09a3e3d813f926df46a3f886616e40d8683717c0

Download Submit
/data/data/com.scare.obscure/app_DynamicOptDex/oat/Yy.json.cur.prof

Filesize
1KB

MD5
1e2b7a17210d9edc8438b480002866f0

SHA1
3d4d3faebf83511e410ab431aef14d392a1bff45

SHA256
d7c2d1eab31c35548e0a538b3d25eee2492eaf88c5be9a58459b8887ec67ab12

SHA512
c229107e680a0e1ce6c4b9f4631f456421f948529e64e14279ca53bbab7461b566a2a6b232a7cc27934277296307106034211068eeeea94b93094af22c7f5f66

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads