Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    165s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    18/03/2025, 22:01 UTC

General

  • Target

    d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c.apk

  • Size

    3.5MB

  • MD5

    fb952210ad402fc0ebf5742ba8309d33

  • SHA1

    e7fcafc16c9ba50f0caf8aede2f9ac47ce5a8949

  • SHA256

    d4c73288263cc04c315398b770312619e3c862063c173949312382c33535259c

  • SHA512

    6ce7fbda5794a3beae578729b0cf0c6a271705c0f728d7b15bc09534cd6b30b14a74cbd11b86200c10a29e583dfa5c0e2fa63c32471dcf079c92f310385d57b2

  • SSDEEP

    98304:BN2e5I5Y6zseVcQlsvWVyNteAoNZDQ1u0tjbr7cG:Bd5w9VVsvZNxoNBAN/AG

Malware Config

Extracted

Family

hydra

C2

http://fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.unaware.tissue
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5210

Network

  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-au
    DNS
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    Remote address:
    1.1.1.1:53
    Request
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    IN A
    Response
  • flag-au
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 5308642ae78425df
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 18 Mar 2025 22:01:38 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 288
    Access-Control-Allow-Origin: *
    X-Ttl: 58
    X-Rl: 43
  • 216.58.212.234:443
    tls, https
    1.2kB
    40 B
    1
    1
  • 216.58.212.206:443
    tls, https
    914 B
    40 B
    1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    3.4kB
    7.9kB
    13
    18
  • 142.250.178.10:443
    tls, https
    2.3kB
    40 B
    1
    1
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    8
    9
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
    637 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.180.14:443
    android.apis.google.com
    52 B
    1
  • 142.250.180.14:443
    android.apis.google.com
    416 B
    8
  • 142.250.200.2:443
    416 B
    8
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd
    dns
    99 B
    164 B
    1
    1

    DNS Request

    fajasdklfjds90932ldkfj920ldsfadsnfozvabozsnerdasa.cfd

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.unaware.tissue/app_fitness/hg.json

    Filesize

    969KB

    MD5

    a60fc1bd35302214b9dbbb9da21adb33

    SHA1

    0e3aae5b7146933ea127262daf2ef67b81cbb01b

    SHA256

    03071c938dcd1f0b608f826abe05bccd425d45fbc52bcadfd7a1ecf40e3484cf

    SHA512

    6a61b7eb2b5e9a0e4443bffe6eb87f9a0954c2fa18c448649a271fae5795230b34fd5c26902d63d04dfd7f5731350f8039f4a853dfdcfd0a767ebc5cc3a3a5b4

  • /data/data/com.unaware.tissue/app_fitness/hg.json

    Filesize

    969KB

    MD5

    14d430fae8584b962a06998be4ab0e62

    SHA1

    a1b6486adabdee5cdfbb5ed4da8e64ced381f0ea

    SHA256

    955dfa0778d7cc972396cd4e8bccfcd94cf9676c927e9978829d739519c0d4b1

    SHA512

    880dd195272bbdcffb913c2dc91830a42c7e588ae6cc1ac26433e2342c365278cfe0216eefe7b4ec530a281fcc4c92b067e392796d810b66062ad2ab02c0410d

  • /data/data/com.unaware.tissue/app_fitness/oat/hg.json.cur.prof

    Filesize

    1KB

    MD5

    c3831bc7d3750499c2b11e478ffab5da

    SHA1

    7cf8377705325aaacc19849621f4a55ea679a804

    SHA256

    a2c6e8dacdaad8930c0735d5299086e2d8cb41bbc4f8b12e56da12c9d8fe0002

    SHA512

    d1a8613deb7caa07d59b7a9f8a220c56432d2a8db18bb847cea1b0ab010c1e241d1e79caec24ed08d5a0402892ec83a0b437cfadb2fb8a086ac16f675a7c9413

  • /data/user/0/com.unaware.tissue/app_fitness/hg.json

    Filesize

    2.2MB

    MD5

    b86222b8b0c7cffc60dc06c443434bec

    SHA1

    e91ccbe2573f198318236cf3845a355d529767bc

    SHA256

    777c111d75b5c69dc915cf9d07401f96fce8997f37fe49773dfdda2e79521424

    SHA512

    704412e2282f57142294741ec1dbfe26667e460029d34220ebfa2f3f795d46231501cc62813db6da1fcf9b1a45ed706ffccad8890b54aa1d9fca53e344239797

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.