Overview

overview

10

Static

static

6

00a251eca7...b9.apk

android-9-x86

10

00a251eca7...b9.apk

android-10-x64

10

00a251eca7...b9.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    18/03/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9.apk

  • Size

    2.8MB

  • MD5

    14357e3f45504b432a77e079d35e6d2c

  • SHA1

    5f2a9cc9fbfe092b8fd1718f5624dac2a044765d

  • SHA256

    00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9

  • SHA512

    1065f8c0283f50faf37880cb71e821f0f3f372dd89b48bf78e6fffa6ce80d8aead0cc762d698d9188e79445f952a60218da92c96442f96144af435c7b0e4d530

  • SSDEEP

    49152:Og94iDJWHokkWK+CP87kzKLvE3/5wH0bXQ58MGhrnHrAI+y1HDDz64uTMONK:zqG+aS6avEv5IBchrnHcaHv+xrNK

Score
10/10
hydrabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

hydra

C2

http://vadkedloepasdlekdqwwe123edlwegbanbemnezdoemsded.com

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Hydra family
    hydra
  • Hydra payload 4 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.another.night
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Reads the contacts stored on the device.
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.another.night/app_anchor/EjoDy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.another.night/app_anchor/oat/x86/EjoDy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.another.night/app_anchor/EjoDy.json
    Filesize

    969KB

    MD5

    e73c797f3499e86aea6cdaf7606c2ea2

    SHA1

    613b732863f31f23cae7311bb11d8b5ced68e3ad

    SHA256

    a84ee9d45a9a7666ceef705f81fd24e05292cf456f648e3618532472bfd2da01

    SHA512

    52a9e86b95f6ece00c7682514c8d9a66030c41bd88fa580cc528a19a4d6c06873732ad57383868c8e448c21412e8dd6df9401bf80f0d4c2b230906756e44174c

    Download Submit

  • /data/data/com.another.night/app_anchor/EjoDy.json
    Filesize

    969KB

    MD5

    5ff51cf7a288807ef4a0b91e30cfb67e

    SHA1

    fa942c8203aab9ff5a37a13216293171b8f88702

    SHA256

    57a84fa16906704b800cc621eebae1f75b5230b435c23f5381722e8bce03347c

    SHA512

    8919e7f2450ad9315d829fbc3c1e862759e4cc891ae770d9476d78324fb076252c765bf708051097c5e2db4b68a40f1d9ef84a0cbbda1655242f473d2acc1bba

    Download Submit

  • /data/data/com.another.night/app_anchor/oat/EjoDy.json.cur.prof
    Filesize

    1KB

    MD5

    f678b493c73246125d7e87da0c1733e1

    SHA1

    2107d1ba909bfc6656055299bb3890f6e6590bb6

    SHA256

    4279a3ab8d6c5529caa201f349ae10118a514e8d05ba4e3ec5b4f0f2e1b6ad04

    SHA512

    6ab527777e8c064ea15f68eadf6e260391433c5ebf7ba1a514465610e879156013b537499eff76703ed670219f938849758dd08c865c4f7506cc76c0aa18d628

    Download Submit

  • /data/user/0/com.another.night/app_anchor/EjoDy.json
    Filesize

    2.2MB

    MD5

    7e9e1cd9d3fcde5a87488766a79c9412

    SHA1

    e1641a66516ec0f9c106cb0c8a7f1ad60b34f4a3

    SHA256

    8baeff4e9a376026ffa7ca8f1b053d93471e8a9312e23c0d830d380faadffb3a

    SHA512

    aa39af99ca7694bc3c953907807f40d84da70bffd495a08cc30fedd4b5645f24f9f1125c2752824550c4c167c065998e5b5c8cd749a69edb2d18c3b6d9dc07a2

    Download Submit

  • /data/user/0/com.another.night/app_anchor/EjoDy.json
    Filesize

    2.2MB

    MD5

    a902388018fbc88da24db97eb3999cd6

    SHA1

    96bdcb04d3e80b45776f946b912928cba7566b84

    SHA256

    69e46e3c370d64ce58d947e892f04e91ba3ffcc7f5b1014f6b491e50376fdf16

    SHA512

    f2351a232abbdad008f130c098f89057d1d064d28f095b1a791007246b4c344e9712a37226c5619aaadf7b15c7b4c0cb5ae16039664d11342c01fa39857a3a61

    Download Submit