Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    25/03/2025, 05:02

General

  • Target

    e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87.apk

  • Size

    7.4MB

  • MD5

    9326a01f58049dcd9947e91c71972fba

  • SHA1

    6686eec12836e010a929df0df3ca87b3d718d348

  • SHA256

    e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87

  • SHA512

    7e1a4a26b384b5c611c6927ff5176fa9f75a6ce7488bfd080b7ea461dad7a54a4267f18d11d826de33fb85cde609824350b41ea59b730e116424397e4d7b3a70

  • SSDEEP

    98304:qKkDrOhNgdgC6j6DhdkFjVddWbRIdymNQn8ohd+rnR7Qw4Z2k7Aa3k4uHrLWOgud:kDahNBC6WCNZyZhd+tO7hDtMkuY6fnBv

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra family
  • Hydra payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • com.donor.festival
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4384
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.donor.festival/app_DynamicOptDex/oat/x86/mJDPd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4444

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.donor.festival/app_DynamicOptDex/mJDPd.json

    Filesize

    5.2MB

    MD5

    fbd922d641725f6eb36f149105c4e181

    SHA1

    96ec4a009bf356aba9cff46fee72f85b9b085ad0

    SHA256

    2bcf991578325442b0a24759ab70aa0aab5de540a7e4930efae72fcc936a4cc6

    SHA512

    bdc5f047fe4aec5c89e3d7cfa8a1fb09a8388442570042344055054f473601d3a85a20ff797ac030bf190ba99218e83c1494f9e5802e9e67112a1ec7fd650f89

  • /data/data/com.donor.festival/app_DynamicOptDex/mJDPd.json

    Filesize

    5.2MB

    MD5

    99f6b6d85f85b8b6ce2d16a7f129699b

    SHA1

    1c3e3a79bc14b8ce3e4e97914406714a4e572d8e

    SHA256

    692a081dc59ead724bc04cb2d4f35b749de793b756bbcf34d9890aaedc59e51c

    SHA512

    4b1477f9d19215cc3dd245dfb4570120127ac08d286b1ef098202cae6a604eb433bfdf126487c66a7f59d9d2b8db272459abf0c728c31fb3dc0e217f7f3b778b

  • /data/data/com.donor.festival/app_DynamicOptDex/oat/mJDPd.json.cur.prof

    Filesize

    1KB

    MD5

    4b0ece1ea4a4fdd61c8735b02b90112c

    SHA1

    1d6718bed4243aa2d5a05b9097b8080323ce8034

    SHA256

    95c1a2db5e4440eb048822a7a0f2f364fa7a441b8d765f32f560703debd2565b

    SHA512

    45a5ffea3eb841476d3f7f7c06369983b64691aef13975940e8c1a5f6bdebf4c9129fc2a5124a4177fb9a88387b5f07ef309b794969ffaf06c6b45cfc2d83283

  • /data/user/0/com.donor.festival/app_DynamicOptDex/mJDPd.json

    Filesize

    5.2MB

    MD5

    c0de26f21a697ae8408fbd24f60aa39e

    SHA1

    92c4d493d05175edb7931ad49c5d9f4f928f0b85

    SHA256

    3a81d9c4d5af258538fe137407bb1255c59a21329eb00c5c34be925d1657d576

    SHA512

    d18d9868a14a4a251e0eaf7b2def7cf07c5d53d71574b653d039941484a4ee3d7e01991318740a45157142afed977377b332e2f5e44d001d7ca7127cf14f9812