Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    18/03/2025, 22:01

General

  • Target

    4902d53679849c227912f4b8ff5f9ca81fc1eac5640768bf486b007109c207f2.apk

  • Size

    3.7MB

  • MD5

    31b668aae3cefc0dade16a28d28573c7

  • SHA1

    5b5a2b742e437afefdda5533f1ffc4a3a7f06321

  • SHA256

    4902d53679849c227912f4b8ff5f9ca81fc1eac5640768bf486b007109c207f2

  • SHA512

    f371abe68c7ce0569f1249934b99dc7c98a0cba6b5c6269ef0f97e6986394e815f761bddda100e65c2fef0db81b993701fadd60af18b10e8c0f98fdecc9bcc32

  • SSDEEP

    98304:1BTUpsYPoUz3ao1vz2Q6bA0eSEhh18Qx8092Q9ep5sq4h:1pUWczIvhxQc6h

Malware Config

Extracted

Family

hydra

C2

http://vadkedloepasdlekdqwwe123edlwegbanbemnezdoemsded.com

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.drink.pole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4217
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.drink.pole/app_ice/EiTg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.drink.pole/app_ice/oat/x86/EiTg.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4243

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.drink.pole/app_ice/EiTg.json

    Filesize

    969KB

    MD5

    7d6e151aea5e64de1b3d21b62dc68f8c

    SHA1

    b21f100e16eabf6d096b6f461927ab85b088a78c

    SHA256

    6def1fee8b7a28bf189d335a954dc92e9d57bdf1ee70192cfdeb331c4c990253

    SHA512

    a9ca195086cff9cd66f1c8f76a3d0de12cb029e3e63acff06687188b98164f77c56ed4e26abf79852974209a7289480ea94c70ff3b0a764c7b3fb6c2ff032bcf

  • /data/data/com.drink.pole/app_ice/EiTg.json

    Filesize

    969KB

    MD5

    4a369556256a317d5c4fc87ec019ca4f

    SHA1

    d2303c6df95721d33bd0c57b2f59f0465d59e536

    SHA256

    14b191cd06a67cbb8f4f1aa99e73debd434b50c348004ad5ad6fa673f319bd8d

    SHA512

    529db678c66b06f6073a16fe79fe2b7daa6509767591224ead2664396b560eea0a2f6fb062631e27dc95c987042528f34739a6e19133b5f7f83cb75ba6917676

  • /data/data/com.drink.pole/app_ice/oat/EiTg.json.cur.prof

    Filesize

    1KB

    MD5

    c306440a92278d2bcd3ec5abcc5c2a70

    SHA1

    3fdc3b6c82e8caea22584cd30ea0a1a85ddf54c6

    SHA256

    fa4e0090fefe7fb3df14b1fb2ad79f9c4065a41e70cf52c9293d29b284145e0e

    SHA512

    5ef178b724b2303cd341dcd7c293a1f35307377d182a31eee2078d2f0a55c37648d36935b40fe0f03eb6b3652532ff96c4e19acc0a9bb784de9100a05ea43719

  • /data/user/0/com.drink.pole/app_ice/EiTg.json

    Filesize

    2.2MB

    MD5

    e7b349dcdb17defcf224d38cfb515a76

    SHA1

    7e0f3a8775b45274601ef454cf2b3e03c6732af2

    SHA256

    6629f13e5413e6d7f71c07d24b5ac5b6cb5f9c385a1c84186c0d8455eb7e845f

    SHA512

    45e12179c52c2e6100479262d102750ecf6b54b535eca0615084f70f559f5a6c8fce256b486922a5d8e3cfad918883fdefe2fb807cc0c6901e834265aba3aafd

  • /data/user/0/com.drink.pole/app_ice/EiTg.json

    Filesize

    2.2MB

    MD5

    03e6f036cf9c79c0390146b07de02a8a

    SHA1

    518103de9468ea660b63d1e773bc397add211de1

    SHA256

    4f8ae26496d1fbb51dada64620bcdd3e67c5812365e4148c98d00aa60ea046bc

    SHA512

    a289d4a1fbe6147cc3f6d408fc622b14322caea3023c4070a736d8e4b9fa61b4652df7ee0e7a4ba4acb467eea1a45c5b2f24c5bfd13c8b976be3f7f7a3eec72d