Malware Analysis Report

2024-10-19 12:04

Sample ID 240331-1ztnbsdh59
Target 5f60376ae066166c8385bd292a9986ef_JaffaCakes118
SHA256 fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b

Threat Level: Known bad

The file 5f60376ae066166c8385bd292a9986ef_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-31 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 22:05

Reported

2024-03-31 22:08

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

156s

Command Line

com.ynnglklc.woezqex

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul N/A N/A
N/A /data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.ynnglklc.woezqex

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/oat/x86/base.apk.ggkiggf1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.ynnglklc.woezqex/app_torfiles/tor /data/user/0/com.ynnglklc.woezqex/app_torfiles/tor -f /data/user/0/com.ynnglklc.woezqex/app_torfiles/torrc __OwningControllerProcess 4214

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 178.254.20.134:443 tcp
US 128.31.0.39:9101 tcp
NL 80.127.137.19:443 tcp
SE 171.25.193.9:80 tcp
NL 188.166.133.133:9001 tcp
DE 212.227.150.117:443 tcp
GB 89.21.65.179:25565 tcp
US 15.204.220.109:8443 tcp
GB 89.21.65.179:25565 tcp
DE 212.227.150.117:443 tcp

Files

/data/data/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/tmp-base.apk.ggkiggf3195936552692082975.jul

MD5 7c6eeb74983c954c94d5540a7ae81782
SHA1 dc20320b7081a854677f5a76ad62c009ded77cdf
SHA256 2604d2853ccadeb87653c77b6a7ed9c0bfe3979e0eca62793e798bae98ca3ce5
SHA512 dccaf3ac3f37e4cc5b6314412a2e52627bb6f1119bf6aab0a41ce83660b609f1b0b7aff368ab35bb5219599d13200e3ab513f99209ef1fe374b4ac9a7989e1c9

/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul

MD5 f341d6741c4318f6bf81b110609082d8
SHA1 f3a235582b64f344d62d67a682c52648f89a52c9
SHA256 1732f6fe3975f30924d26a3c0397ad0bd9aeb4026520e099dd19eb3af20295c9
SHA512 92039c81c5a06ef5cb702fec6177354a4299149eeea9e71b665028e5fbac11c33e378915ce9789c72f9092ca4bc3435c3121c55fe0f266cd80c28cbeb37ae841

/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul

MD5 fbeab66a16559727abc3451a5f546346
SHA1 89d7e87f2ea408214eaea41b21a27b646077e4fb
SHA256 ac1f79e1a9562252d127bf5897f629db09217990d704f1e099d84801058c3e74
SHA512 7b761d7ae3e9fb91849b22b1236751af2a7b2ca7d766a5b4a2b0e74b368060ee0c594aa29f09b065289f273adeffcc0d1923813f4ddb0715834ba9ea4b38e0e5

/data/data/com.ynnglklc.woezqex/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.ynnglklc.woezqex/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.ynnglklc.woezqex/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 b34b60f551322f9cd451c60fb6d5cc75
SHA1 32e2f50d363669c01002054af7e6f1583c3e5acb
SHA256 e398014b78a893917c71a5d1fd2ebf857e321ddb2db963d41f21d334938cc430
SHA512 84a29285fac181d109273b270f84da5e6e19f0724e45c7bf86565c6114304233f6377c5af107ec7eb5e93325d0cae30c6ad85dd9c54393fe177a1f32581f0587

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 22:05

Reported

2024-03-31 22:08

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

138s

Command Line

com.ynnglklc.woezqex

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.ynnglklc.woezqex

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/tmp-base.apk.ggkiggf5317725939217373907.jul

MD5 7c6eeb74983c954c94d5540a7ae81782
SHA1 dc20320b7081a854677f5a76ad62c009ded77cdf
SHA256 2604d2853ccadeb87653c77b6a7ed9c0bfe3979e0eca62793e798bae98ca3ce5
SHA512 dccaf3ac3f37e4cc5b6314412a2e52627bb6f1119bf6aab0a41ce83660b609f1b0b7aff368ab35bb5219599d13200e3ab513f99209ef1fe374b4ac9a7989e1c9

/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul

MD5 f341d6741c4318f6bf81b110609082d8
SHA1 f3a235582b64f344d62d67a682c52648f89a52c9
SHA256 1732f6fe3975f30924d26a3c0397ad0bd9aeb4026520e099dd19eb3af20295c9
SHA512 92039c81c5a06ef5cb702fec6177354a4299149eeea9e71b665028e5fbac11c33e378915ce9789c72f9092ca4bc3435c3121c55fe0f266cd80c28cbeb37ae841

/data/data/com.ynnglklc.woezqex/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.ynnglklc.woezqex/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.ynnglklc.woezqex/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 b34b60f551322f9cd451c60fb6d5cc75
SHA1 32e2f50d363669c01002054af7e6f1583c3e5acb
SHA256 e398014b78a893917c71a5d1fd2ebf857e321ddb2db963d41f21d334938cc430
SHA512 84a29285fac181d109273b270f84da5e6e19f0724e45c7bf86565c6114304233f6377c5af107ec7eb5e93325d0cae30c6ad85dd9c54393fe177a1f32581f0587

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-31 22:05

Reported

2024-03-31 22:08

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

152s

Command Line

com.ynnglklc.woezqex

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.ynnglklc.woezqex

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/tmp-base.apk.ggkiggf3458681504403943621.jul

MD5 7c6eeb74983c954c94d5540a7ae81782
SHA1 dc20320b7081a854677f5a76ad62c009ded77cdf
SHA256 2604d2853ccadeb87653c77b6a7ed9c0bfe3979e0eca62793e798bae98ca3ce5
SHA512 dccaf3ac3f37e4cc5b6314412a2e52627bb6f1119bf6aab0a41ce83660b609f1b0b7aff368ab35bb5219599d13200e3ab513f99209ef1fe374b4ac9a7989e1c9

/data/user/0/com.ynnglklc.woezqex/oakjategdd/fdfsydkqwkfhghs/base.apk.ggkiggf1.jul

MD5 f341d6741c4318f6bf81b110609082d8
SHA1 f3a235582b64f344d62d67a682c52648f89a52c9
SHA256 1732f6fe3975f30924d26a3c0397ad0bd9aeb4026520e099dd19eb3af20295c9
SHA512 92039c81c5a06ef5cb702fec6177354a4299149eeea9e71b665028e5fbac11c33e378915ce9789c72f9092ca4bc3435c3121c55fe0f266cd80c28cbeb37ae841

/data/user/0/com.ynnglklc.woezqex/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.ynnglklc.woezqex/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.ynnglklc.woezqex/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.ynnglklc.woezqex/app_torfiles/torrc

MD5 b34b60f551322f9cd451c60fb6d5cc75
SHA1 32e2f50d363669c01002054af7e6f1583c3e5acb
SHA256 e398014b78a893917c71a5d1fd2ebf857e321ddb2db963d41f21d334938cc430
SHA512 84a29285fac181d109273b270f84da5e6e19f0724e45c7bf86565c6114304233f6377c5af107ec7eb5e93325d0cae30c6ad85dd9c54393fe177a1f32581f0587