Malware Analysis Report

2024-10-19 12:04

Sample ID 240401-a5py8agg4v
Target 62f4503a057e5ca47e53523b4369dcab_JaffaCakes118
SHA256 5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de

Threat Level: Known bad

The file 62f4503a057e5ca47e53523b4369dcab_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-01 00:47

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 00:47

Reported

2024-04-01 00:50

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

com.djbfrpkx.zztpisr

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl N/A N/A
N/A /data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.djbfrpkx.zztpisr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/oat/x86/base.apk.oucz8ch1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.djbfrpkx.zztpisr/app_torfiles/tor /data/user/0/com.djbfrpkx.zztpisr/app_torfiles/tor -f /data/user/0/com.djbfrpkx.zztpisr/app_torfiles/torrc __OwningControllerProcess 4232

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 178.62.197.82:443 tcp
NL 194.109.206.212:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
RO 109.163.234.5:443 tcp
FR 163.172.149.122:443 tcp
DE 131.188.40.189:443 tcp
ES 82.223.21.74:9001 tcp
ES 82.223.21.74:9001 tcp
DE 88.216.223.2:143 tcp
DE 194.163.182.63:443 tcp
CA 149.56.126.142:9001 tcp
DE 88.216.223.2:143 tcp
DE 194.163.182.63:443 tcp

Files

/data/data/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/tmp-base.apk.oucz8ch1730175887102871214.nhl

MD5 a9362c9b34107f09ace58ac354587b8a
SHA1 893fd8e426c0064a726557ee46ff4d143f1e1a9b
SHA256 9b39477aae10d5ef4bd8f8db3a53146c4bf8c42d2dd0b19a7db65ee0498a1cc6
SHA512 60404d44f59fa7319ad728865767adfdf090e5d55a9f230839a11d827fa936cf1574168e77839baacd49f87034eb825643e0ccd61706b9f23f546c81e711a442

/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl

MD5 fe77d7a326514a9ce2ee31079cb70be5
SHA1 3a58a25512d740960ae2c91db08a485213c9d009
SHA256 1cbd1f3c7331e13ffbb848f0fc62ccd8a18940c1072416150fd426cee3d11145
SHA512 4796013663c07c9b695466d9ab4d953a9eccc7f31358b265dc5d0dfcabaa8cf8fbc580cbd75dc0c2596aa6bfaa9190c89f0cdee42a71e18bd7caa0f092df29b3

/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl

MD5 310f4ce4acb9ee322f3e6833a53e07d3
SHA1 f53ef83d2fb02b664ea73fd8373184d30039bc14
SHA256 241b699e7ae51a2343e4e685e5367412d401c272123de35c70a135f626b553dd
SHA512 75cc360bf7fbc547642c5e1ef182dcc39a246b99e160ecd13885203eef6d8ce2122febd1a0a1705dbfb1b0664c808173902203f614e27eedea37e9f69d71db52

/data/data/com.djbfrpkx.zztpisr/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.djbfrpkx.zztpisr/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.djbfrpkx.zztpisr/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.djbfrpkx.zztpisr/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.djbfrpkx.zztpisr/app_torfiles/torrc

MD5 4838a7df7ca200671ce7508378fb4636
SHA1 71dbaea0b6911dd124661aa3bbc94e74c2fef2fc
SHA256 51d9bab6794c7226b53bd7b6db3b35b7955ac94afd53930b9dd15d5e76c076bd
SHA512 185e0b4559150bb4d32122ea5944e37d72f8dacf7d159d3d0fdd8f758eb32b9b29f8a228ccab3a0ba5efa7c800a9b602d1b677ebe57ec8b5bcab6355caac7fdd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 00:47

Reported

2024-04-01 00:51

Platform

android-x64-20240221-en

Max time network

182s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.206:443 tcp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
BE 173.194.76.188:5228 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 mqaqgribbhp udp
US 1.1.1.1:53 wknzavp udp
US 1.1.1.1:53 pcxzxgztc udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-01 00:47

Reported

2024-04-01 00:50

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

com.djbfrpkx.zztpisr

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.djbfrpkx.zztpisr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/tmp-base.apk.oucz8ch7429527188445986944.nhl

MD5 a9362c9b34107f09ace58ac354587b8a
SHA1 893fd8e426c0064a726557ee46ff4d143f1e1a9b
SHA256 9b39477aae10d5ef4bd8f8db3a53146c4bf8c42d2dd0b19a7db65ee0498a1cc6
SHA512 60404d44f59fa7319ad728865767adfdf090e5d55a9f230839a11d827fa936cf1574168e77839baacd49f87034eb825643e0ccd61706b9f23f546c81e711a442

/data/user/0/com.djbfrpkx.zztpisr/gonedqkwqg/fygbkbghxy8kngz/base.apk.oucz8ch1.nhl

MD5 fe77d7a326514a9ce2ee31079cb70be5
SHA1 3a58a25512d740960ae2c91db08a485213c9d009
SHA256 1cbd1f3c7331e13ffbb848f0fc62ccd8a18940c1072416150fd426cee3d11145
SHA512 4796013663c07c9b695466d9ab4d953a9eccc7f31358b265dc5d0dfcabaa8cf8fbc580cbd75dc0c2596aa6bfaa9190c89f0cdee42a71e18bd7caa0f092df29b3

/data/user/0/com.djbfrpkx.zztpisr/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.djbfrpkx.zztpisr/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.djbfrpkx.zztpisr/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.djbfrpkx.zztpisr/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.djbfrpkx.zztpisr/app_torfiles/torrc

MD5 4838a7df7ca200671ce7508378fb4636
SHA1 71dbaea0b6911dd124661aa3bbc94e74c2fef2fc
SHA256 51d9bab6794c7226b53bd7b6db3b35b7955ac94afd53930b9dd15d5e76c076bd
SHA512 185e0b4559150bb4d32122ea5944e37d72f8dacf7d159d3d0fdd8f758eb32b9b29f8a228ccab3a0ba5efa7c800a9b602d1b677ebe57ec8b5bcab6355caac7fdd