Malware Analysis Report

2024-10-19 12:04

Sample ID 240401-j43y5ahc2s
Target 6cbd363526dfc8f906ab75d5565e5921_JaffaCakes118
SHA256 a02fdcfe2bb128d9a1614a3dfa94863f2e0cc565ede1548aa0f1ad348a979e0f
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a02fdcfe2bb128d9a1614a3dfa94863f2e0cc565ede1548aa0f1ad348a979e0f

Threat Level: Known bad

The file 6cbd363526dfc8f906ab75d5565e5921_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Hydra payload

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Looks up external IP address via web service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-01 08:14

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 08:14

Reported

2024-04-01 08:16

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

131s

Command Line

bubble.walk.marine

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

bubble.walk.marine

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/bubble.walk.marine/app_DynamicOptDex/oat/x86/bWlO.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 97f226017d08c6a2e365eab37f7ad312
SHA1 b8c80ed45326afb0ad9ae81db203dad85d6cf933
SHA256 2f076bb9f469279acd21a1d1a650c2c1f2a61cb5ad06c953318abdece32a9b98
SHA512 a4289e13d836694e6eccad4eeb360d2faaf39f4ce24d2ec93262fb874191a0ff993b25e20582fea0217dfd0ee3c75a4a0ca21f78ecc60b6c5d42378d8e18526e

/data/data/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 98f5f1152b5d65aa7e580088b7115fe6
SHA1 a4c2e9ab6edee80fa52695a73c37838c9159888c
SHA256 d6e7e2d896f7b2d1d6e4dc11be73814f95b1a63bce84968ce67232b0816ae52f
SHA512 a05921747c951dec8ec76ea704356fd344dfa38d58dc38005e3b9b1d9508eac1e44770bc45fe724be5ef303118514b127ee442ca655bf465179293d9fffa81f2

/data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 60b0b2ca99f033f3a1e16b438a534a1f
SHA1 45808f21985b4cc164abffe713095112914fadd3
SHA256 762e9603344aea839ef15250ba1b25155b0a081f104d5a4d044584f1780f8ab8
SHA512 9e3a0e3e3ec583f16b0c9e3dc12feb72f63f7308d30f462aac915425d72cf2bf2957657a34087c25b05b555aa198ccc31475f9568ae99eb22b62a0b77f8b2444

/data/data/bubble.walk.marine/app_DynamicOptDex/oat/bWlO.json.cur.prof

MD5 95dd4dc753cac7c778fc56e218b3d05b
SHA1 2cac0882722df33dfa77047a983becd52d81ae7c
SHA256 a3361ee613e5b2d332fb653bbe8bdf986bfee8726bac1aee962b0f7585a628fe
SHA512 d901ee84195d8a05375c45dbcee6fd017faf8da65601ea6ab877f4d19ef3308aa4ae2217776bb9e993904b687c397ac82394dacff9241c8d3327847cedfee5ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 08:14

Reported

2024-04-01 08:17

Platform

android-x64-20240221-en

Max time kernel

154s

Max time network

137s

Command Line

bubble.walk.marine

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

bubble.walk.marine

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 97f226017d08c6a2e365eab37f7ad312
SHA1 b8c80ed45326afb0ad9ae81db203dad85d6cf933
SHA256 2f076bb9f469279acd21a1d1a650c2c1f2a61cb5ad06c953318abdece32a9b98
SHA512 a4289e13d836694e6eccad4eeb360d2faaf39f4ce24d2ec93262fb874191a0ff993b25e20582fea0217dfd0ee3c75a4a0ca21f78ecc60b6c5d42378d8e18526e

/data/data/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 98f5f1152b5d65aa7e580088b7115fe6
SHA1 a4c2e9ab6edee80fa52695a73c37838c9159888c
SHA256 d6e7e2d896f7b2d1d6e4dc11be73814f95b1a63bce84968ce67232b0816ae52f
SHA512 a05921747c951dec8ec76ea704356fd344dfa38d58dc38005e3b9b1d9508eac1e44770bc45fe724be5ef303118514b127ee442ca655bf465179293d9fffa81f2

/data/data/bubble.walk.marine/app_DynamicOptDex/oat/bWlO.json.cur.prof

MD5 582f2f53829becc154753eb51dfbbaf1
SHA1 9576979ab23e48367ed9ffab90c6e788be41bb5f
SHA256 cb03aa3296622c36c9bfbb20141c393c848a6bb1e4861021c4127c7ae68130be
SHA512 cf79ede312262c85b8b11a05774f5808ed65f3a9b3423c1d0d7777a117ff45ea9805395c8c88c4882b0042d2c940866a6f95b161e5c2795fbd75a3325769518f

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-01 08:14

Reported

2024-04-01 08:17

Platform

android-x64-arm64-20240221-en

Max time kernel

154s

Max time network

149s

Command Line

bubble.walk.marine

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A
N/A /data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

bubble.walk.marine

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 97f226017d08c6a2e365eab37f7ad312
SHA1 b8c80ed45326afb0ad9ae81db203dad85d6cf933
SHA256 2f076bb9f469279acd21a1d1a650c2c1f2a61cb5ad06c953318abdece32a9b98
SHA512 a4289e13d836694e6eccad4eeb360d2faaf39f4ce24d2ec93262fb874191a0ff993b25e20582fea0217dfd0ee3c75a4a0ca21f78ecc60b6c5d42378d8e18526e

/data/user/0/bubble.walk.marine/app_DynamicOptDex/bWlO.json

MD5 98f5f1152b5d65aa7e580088b7115fe6
SHA1 a4c2e9ab6edee80fa52695a73c37838c9159888c
SHA256 d6e7e2d896f7b2d1d6e4dc11be73814f95b1a63bce84968ce67232b0816ae52f
SHA512 a05921747c951dec8ec76ea704356fd344dfa38d58dc38005e3b9b1d9508eac1e44770bc45fe724be5ef303118514b127ee442ca655bf465179293d9fffa81f2