Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
18/03/2025, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9.apk
-
Size
2.8MB
-
MD5
14357e3f45504b432a77e079d35e6d2c
-
SHA1
5f2a9cc9fbfe092b8fd1718f5624dac2a044765d
-
SHA256
00a251eca7976dc909866069f9f958dac997d104af97e426e8c83c978d6bf6b9
-
SHA512
1065f8c0283f50faf37880cb71e821f0f3f372dd89b48bf78e6fffa6ce80d8aead0cc762d698d9188e79445f952a60218da92c96442f96144af435c7b0e4d530
-
SSDEEP
49152:Og94iDJWHokkWK+CP87kzKLvE3/5wH0bXQ58MGhrnHrAI+y1HDDz64uTMONK:zqG+aS6avEv5IBchrnHcaHv+xrNK
Malware Config
Extracted
hydra
http://vadkedloepasdlekdqwwe123edlwegbanbemnezdoemsded.com
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 4 IoCs
resource yara_rule behavioral1/memory/4283-0.dex family_hydra1 behavioral1/memory/4283-0.dex family_hydra2 behavioral1/memory/4258-0.dex family_hydra1 behavioral1/memory/4258-0.dex family_hydra2 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.another.night/app_anchor/EjoDy.json 4283 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.another.night/app_anchor/EjoDy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.another.night/app_anchor/oat/x86/EjoDy.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.another.night/app_anchor/EjoDy.json 4258 com.another.night -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.another.night Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.another.night -
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.another.night -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.another.night -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.another.night -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.another.night -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.another.night -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.another.night
Processes
-
com.another.night1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the contacts stored on the device.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4258 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.another.night/app_anchor/EjoDy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.another.night/app_anchor/oat/x86/EjoDy.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4283
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
969KB
MD5e73c797f3499e86aea6cdaf7606c2ea2
SHA1613b732863f31f23cae7311bb11d8b5ced68e3ad
SHA256a84ee9d45a9a7666ceef705f81fd24e05292cf456f648e3618532472bfd2da01
SHA51252a9e86b95f6ece00c7682514c8d9a66030c41bd88fa580cc528a19a4d6c06873732ad57383868c8e448c21412e8dd6df9401bf80f0d4c2b230906756e44174c
-
Filesize
969KB
MD55ff51cf7a288807ef4a0b91e30cfb67e
SHA1fa942c8203aab9ff5a37a13216293171b8f88702
SHA25657a84fa16906704b800cc621eebae1f75b5230b435c23f5381722e8bce03347c
SHA5128919e7f2450ad9315d829fbc3c1e862759e4cc891ae770d9476d78324fb076252c765bf708051097c5e2db4b68a40f1d9ef84a0cbbda1655242f473d2acc1bba
-
Filesize
1KB
MD5f678b493c73246125d7e87da0c1733e1
SHA12107d1ba909bfc6656055299bb3890f6e6590bb6
SHA2564279a3ab8d6c5529caa201f349ae10118a514e8d05ba4e3ec5b4f0f2e1b6ad04
SHA5126ab527777e8c064ea15f68eadf6e260391433c5ebf7ba1a514465610e879156013b537499eff76703ed670219f938849758dd08c865c4f7506cc76c0aa18d628
-
Filesize
2.2MB
MD57e9e1cd9d3fcde5a87488766a79c9412
SHA1e1641a66516ec0f9c106cb0c8a7f1ad60b34f4a3
SHA2568baeff4e9a376026ffa7ca8f1b053d93471e8a9312e23c0d830d380faadffb3a
SHA512aa39af99ca7694bc3c953907807f40d84da70bffd495a08cc30fedd4b5645f24f9f1125c2752824550c4c167c065998e5b5c8cd749a69edb2d18c3b6d9dc07a2
-
Filesize
2.2MB
MD5a902388018fbc88da24db97eb3999cd6
SHA196bdcb04d3e80b45776f946b912928cba7566b84
SHA25669e46e3c370d64ce58d947e892f04e91ba3ffcc7f5b1014f6b491e50376fdf16
SHA512f2351a232abbdad008f130c098f89057d1d064d28f095b1a791007246b4c344e9712a37226c5619aaadf7b15c7b4c0cb5ae16039664d11342c01fa39857a3a61