Malware Analysis Report

2024-10-19 12:04

Sample ID 240331-e4akcsdg51
Target 4d1d88ed96379c4b6b72b7f3f1727a97_JaffaCakes118
SHA256 ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82

Threat Level: Known bad

The file 4d1d88ed96379c4b6b72b7f3f1727a97_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-31 04:29

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 04:29

Reported

2024-03-31 04:31

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

com.yfaehapg.yctcscs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm N/A N/A
N/A /data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yfaehapg.yctcscs

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/oat/x86/base.apk.ycb8ysz1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.yfaehapg.yctcscs/app_torfiles/tor /data/user/0/com.yfaehapg.yctcscs/app_torfiles/tor -f /data/user/0/com.yfaehapg.yctcscs/app_torfiles/torrc __OwningControllerProcess 4464

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
FR 188.165.194.195:9001 tcp
DE 131.188.40.189:443 tcp
DE 134.119.3.164:9001 tcp
DE 37.200.98.5:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
FR 45.145.166.104:9000 tcp
NL 185.91.127.132:443 tcp
ES 212.227.169.190:443 tcp
NL 185.91.127.132:443 tcp
FR 45.145.166.104:9000 tcp

Files

/data/data/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/tmp-base.apk.ycb8ysz259719799765418154.gfm

MD5 4d2c8e9bad4cad0555494fb99cf17226
SHA1 386cbe6fdb5730e03f4fefe56bc10db18c09d481
SHA256 f82738522ff529663f1aa8bfcaf3a974fdf6c31eb12a69edfc688a48de5fb6f9
SHA512 08aa504a407d22b4e0f7b27854da7f51eb8c78155a949eb1afa04b5055b050dcac9db0f91535166904a5a1471c16081260899e4e3551937c14e240aad87970a1

/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm

MD5 9a1cebed6c7ebb3a7d342d0c824ef970
SHA1 b7dc8f9fa877419be9293fb2182cfb62ba1e9cbf
SHA256 b8f3812e2732887e778b8a9b75c703d07cdb9249a4cf0d73854738678c351c43
SHA512 37f76306fee1f30d06bbc60cf6ed47d228754f3df781386ccbd3ea5e010867b9d25f0efdb5c33cef57c6b0957c428092e2f835a50f1b62d7e3ebf93ef3cc4743

/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm

MD5 0e37032da74677210762e09b7693973f
SHA1 bbdb32e9f64dfd45cfb71fe47a8521617d05e4ed
SHA256 f953cd47bf9481daa55367af24b79352be1923f8502043f395976596e108e4bd
SHA512 cb68a1dfa2527140adc0bceb21317c9eb8adee409dc5ff3c3b5dba60247d631e2885422400f35d8148df185d95d3fd2528b79e23ec1740f74338e88d14d7828b

/data/data/com.yfaehapg.yctcscs/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.yfaehapg.yctcscs/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.yfaehapg.yctcscs/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 3daf1caef7a8df093889fe00cb0aa795
SHA1 9747c23959b2ca157a9fd798f88afe2e6bdee515
SHA256 dbd0fe0b3d273c97a2633e6beb90ddc0a7ae953aecc62952e1b0ff16d87f9a47
SHA512 b722c493e11f0e7603878042ee9fcd081453d49ff89ff5246c002a49382e75eb0f07f2e55a7511a1a6c3fe614bc16c48603a4d43a0995a2b7b917d982978b82c

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 04:29

Reported

2024-03-31 04:31

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

134s

Command Line

com.yfaehapg.yctcscs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yfaehapg.yctcscs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/tmp-base.apk.ycb8ysz3490325905722096153.gfm

MD5 4d2c8e9bad4cad0555494fb99cf17226
SHA1 386cbe6fdb5730e03f4fefe56bc10db18c09d481
SHA256 f82738522ff529663f1aa8bfcaf3a974fdf6c31eb12a69edfc688a48de5fb6f9
SHA512 08aa504a407d22b4e0f7b27854da7f51eb8c78155a949eb1afa04b5055b050dcac9db0f91535166904a5a1471c16081260899e4e3551937c14e240aad87970a1

/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm

MD5 9a1cebed6c7ebb3a7d342d0c824ef970
SHA1 b7dc8f9fa877419be9293fb2182cfb62ba1e9cbf
SHA256 b8f3812e2732887e778b8a9b75c703d07cdb9249a4cf0d73854738678c351c43
SHA512 37f76306fee1f30d06bbc60cf6ed47d228754f3df781386ccbd3ea5e010867b9d25f0efdb5c33cef57c6b0957c428092e2f835a50f1b62d7e3ebf93ef3cc4743

/data/data/com.yfaehapg.yctcscs/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.yfaehapg.yctcscs/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.yfaehapg.yctcscs/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 3daf1caef7a8df093889fe00cb0aa795
SHA1 9747c23959b2ca157a9fd798f88afe2e6bdee515
SHA256 dbd0fe0b3d273c97a2633e6beb90ddc0a7ae953aecc62952e1b0ff16d87f9a47
SHA512 b722c493e11f0e7603878042ee9fcd081453d49ff89ff5246c002a49382e75eb0f07f2e55a7511a1a6c3fe614bc16c48603a4d43a0995a2b7b917d982978b82c

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-31 04:29

Reported

2024-03-31 04:32

Platform

android-x64-arm64-20240221-en

Max time kernel

153s

Max time network

145s

Command Line

com.yfaehapg.yctcscs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yfaehapg.yctcscs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/tmp-base.apk.ycb8ysz282854573388930538.gfm

MD5 4d2c8e9bad4cad0555494fb99cf17226
SHA1 386cbe6fdb5730e03f4fefe56bc10db18c09d481
SHA256 f82738522ff529663f1aa8bfcaf3a974fdf6c31eb12a69edfc688a48de5fb6f9
SHA512 08aa504a407d22b4e0f7b27854da7f51eb8c78155a949eb1afa04b5055b050dcac9db0f91535166904a5a1471c16081260899e4e3551937c14e240aad87970a1

/data/user/0/com.yfaehapg.yctcscs/fjjlykjjgn/gjcdvqcbjylfogy/base.apk.ycb8ysz1.gfm

MD5 9a1cebed6c7ebb3a7d342d0c824ef970
SHA1 b7dc8f9fa877419be9293fb2182cfb62ba1e9cbf
SHA256 b8f3812e2732887e778b8a9b75c703d07cdb9249a4cf0d73854738678c351c43
SHA512 37f76306fee1f30d06bbc60cf6ed47d228754f3df781386ccbd3ea5e010867b9d25f0efdb5c33cef57c6b0957c428092e2f835a50f1b62d7e3ebf93ef3cc4743

/data/user/0/com.yfaehapg.yctcscs/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.yfaehapg.yctcscs/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.yfaehapg.yctcscs/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.yfaehapg.yctcscs/app_torfiles/torrc

MD5 3daf1caef7a8df093889fe00cb0aa795
SHA1 9747c23959b2ca157a9fd798f88afe2e6bdee515
SHA256 dbd0fe0b3d273c97a2633e6beb90ddc0a7ae953aecc62952e1b0ff16d87f9a47
SHA512 b722c493e11f0e7603878042ee9fcd081453d49ff89ff5246c002a49382e75eb0f07f2e55a7511a1a6c3fe614bc16c48603a4d43a0995a2b7b917d982978b82c