Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
25/03/2025, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87.apk
-
Size
7.4MB
-
MD5
9326a01f58049dcd9947e91c71972fba
-
SHA1
6686eec12836e010a929df0df3ca87b3d718d348
-
SHA256
e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87
-
SHA512
7e1a4a26b384b5c611c6927ff5176fa9f75a6ce7488bfd080b7ea461dad7a54a4267f18d11d826de33fb85cde609824350b41ea59b730e116424397e4d7b3a70
-
SSDEEP
98304:qKkDrOhNgdgC6j6DhdkFjVddWbRIdymNQn8ohd+rnR7Qw4Z2k7Aa3k4uHrLWOgud:kDahNBC6WCNZyZhd+tO7hDtMkuY6fnBv
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Hydra family
-
Hydra payload 2 IoCs
resource yara_rule behavioral1/files/fstream-2.dat family_hydra1 behavioral1/memory/4384-1.dex family_hydra1 -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json 4384 com.donor.festival /data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json 4444 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.donor.festival/app_DynamicOptDex/oat/x86/mJDPd.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json 4384 com.donor.festival -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.donor.festival Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.donor.festival -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
flow ioc 14 raw.githubusercontent.com 20 raw.githubusercontent.com 22 raw.githubusercontent.com 31 raw.githubusercontent.com 32 raw.githubusercontent.com 34 raw.githubusercontent.com 13 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com 36 raw.githubusercontent.com 37 raw.githubusercontent.com 38 raw.githubusercontent.com 15 raw.githubusercontent.com 21 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 35 raw.githubusercontent.com 43 raw.githubusercontent.com 8 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.donor.festival -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.donor.festival -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.donor.festival
Processes
-
com.donor.festival1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4384 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.donor.festival/app_DynamicOptDex/oat/x86/mJDPd.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4444
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5fbd922d641725f6eb36f149105c4e181
SHA196ec4a009bf356aba9cff46fee72f85b9b085ad0
SHA2562bcf991578325442b0a24759ab70aa0aab5de540a7e4930efae72fcc936a4cc6
SHA512bdc5f047fe4aec5c89e3d7cfa8a1fb09a8388442570042344055054f473601d3a85a20ff797ac030bf190ba99218e83c1494f9e5802e9e67112a1ec7fd650f89
-
Filesize
5.2MB
MD599f6b6d85f85b8b6ce2d16a7f129699b
SHA11c3e3a79bc14b8ce3e4e97914406714a4e572d8e
SHA256692a081dc59ead724bc04cb2d4f35b749de793b756bbcf34d9890aaedc59e51c
SHA5124b1477f9d19215cc3dd245dfb4570120127ac08d286b1ef098202cae6a604eb433bfdf126487c66a7f59d9d2b8db272459abf0c728c31fb3dc0e217f7f3b778b
-
Filesize
1KB
MD54b0ece1ea4a4fdd61c8735b02b90112c
SHA11d6718bed4243aa2d5a05b9097b8080323ce8034
SHA25695c1a2db5e4440eb048822a7a0f2f364fa7a441b8d765f32f560703debd2565b
SHA51245a5ffea3eb841476d3f7f7c06369983b64691aef13975940e8c1a5f6bdebf4c9129fc2a5124a4177fb9a88387b5f07ef309b794969ffaf06c6b45cfc2d83283
-
Filesize
5.2MB
MD5c0de26f21a697ae8408fbd24f60aa39e
SHA192c4d493d05175edb7931ad49c5d9f4f928f0b85
SHA2563a81d9c4d5af258538fe137407bb1255c59a21329eb00c5c34be925d1657d576
SHA512d18d9868a14a4a251e0eaf7b2def7cf07c5d53d71574b653d039941484a4ee3d7e01991318740a45157142afed977377b332e2f5e44d001d7ca7127cf14f9812