Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
165s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
18/03/2025, 22:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk
-
Size
3.5MB
-
MD5
fb952210ad402fc0ebf5742ba8309d33
-
SHA1
e7fcafc16c9ba50f0caf8aede2f9ac47ce5a8949
-
SHA256
d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c
-
SHA512
6ce7fbda5794a3beae578729b0cf0c6a271705c0f728d7b15bc09534cd6b30b14a74cbd11b86200c10a29e583dfa5c0e2fa63c32471dcf079c92f310385d57b2
-
SSDEEP
98304:BN2e5I5Y6zseVcQlsvWVyNteAoNZDQ1u0tjbr7cG:Bd5w9VVsvZNxoNBAN/AG
Malware Config
Extracted
hydra
http://fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 2 IoCs
resource yara_rule behavioral2/memory/5210-0.dex family_hydra1 behavioral2/memory/5210-0.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.unaware.tissue/app_fitness/hg.json 5210 com.unaware.tissue -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.unaware.tissue Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.unaware.tissue -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.unaware.tissue -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.unaware.tissue -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.unaware.tissue -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.unaware.tissue -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.unaware.tissue -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.unaware.tissue
Processes
-
com.unaware.tissue1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5210
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.180.14
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.200.40
-
Remote address:1.1.1.1:53Requestfajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfdIN AResponse
-
Remote address:1.1.1.1:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
Authorization: 5308642ae78425df
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: ip-api.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 288
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 43
-
1.2kB 40 B 1 1
-
914 B 40 B 1 1
-
3.4kB 7.9kB 13 18
-
2.3kB 40 B 1 1
-
1.3kB 6.3kB 8 9
-
452 B 637 B 5 4
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
52 B 1
-
416 B 8
-
416 B 8
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.180.14
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.200.40
-
99 B 164 B 1 1
DNS Request
fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
969KB
MD5a60fc1bd35302214b9dbbb9da21adb33
SHA10e3aae5b7146933ea127262daf2ef67b81cbb01b
SHA25603071c938dcd1f0b608f826abe05bccd425d45fbc52bcadfd7a1ecf40e3484cf
SHA5126a61b7eb2b5e9a0e4443bffe6eb87f9a0954c2fa18c448649a271fae5795230b34fd5c26902d63d04dfd7f5731350f8039f4a853dfdcfd0a767ebc5cc3a3a5b4
-
Filesize
969KB
MD514d430fae8584b962a06998be4ab0e62
SHA1a1b6486adabdee5cdfbb5ed4da8e64ced381f0ea
SHA256955dfa0778d7cc972396cd4e8bccfcd94cf9676c927e9978829d739519c0d4b1
SHA512880dd195272bbdcffb913c2dc91830a42c7e588ae6cc1ac26433e2342c365278cfe0216eefe7b4ec530a281fcc4c92b067e392796d810b66062ad2ab02c0410d
-
Filesize
1KB
MD5c3831bc7d3750499c2b11e478ffab5da
SHA17cf8377705325aaacc19849621f4a55ea679a804
SHA256a2c6e8dacdaad8930c0735d5299086e2d8cb41bbc4f8b12e56da12c9d8fe0002
SHA512d1a8613deb7caa07d59b7a9f8a220c56432d2a8db18bb847cea1b0ab010c1e241d1e79caec24ed08d5a0402892ec83a0b437cfadb2fb8a086ac16f675a7c9413
-
Filesize
2.2MB
MD5b86222b8b0c7cffc60dc06c443434bec
SHA1e91ccbe2573f198318236cf3845a355d529767bc
SHA256777c111d75b5c69dc915cf9d07401f96fce8997f37fe49773dfdda2e79521424
SHA512704412e2282f57142294741ec1dbfe26667e460029d34220ebfa2f3f795d46231501cc62813db6da1fcf9b1a45ed706ffccad8890b54aa1d9fca53e344239797