Malware Analysis Report

2024-10-19 12:04

Sample ID 240401-tcqvlahe22
Target 7433796ca18baa6386c024c07cace94f_JaffaCakes118
SHA256 6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b

Threat Level: Known bad

The file 7433796ca18baa6386c024c07cace94f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-01 15:55

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:57

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

com.rgubyqbh.gsaqvdg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl N/A N/A
N/A /data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rgubyqbh.gsaqvdg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/oat/x86/base.apk.8ggyxzk1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/tor /data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/tor -f /data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/torrc __OwningControllerProcess 4177

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.187.124.98:9001 tcp
AT 86.59.21.38:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
SK 85.248.227.163:9001 tcp
US 173.52.94.197:9006 tcp
DE 185.220.101.192:8443 tcp
FR 94.23.76.52:8080 tcp
DE 185.220.101.192:8443 tcp
FR 94.23.76.52:8080 tcp
US 173.52.94.197:9006 tcp

Files

/data/data/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/tmp-base.apk.8ggyxzk4618750954851590125.dhl

MD5 d0388f8d150978dfb99e170c827811cd
SHA1 4cb3c915c7399eac49ecc9473bde97e56e115cd4
SHA256 64fed5ae067b305221c89570274f256c60613f54e7a1363a2b4a32b437abca3e
SHA512 52a6adea12ab4e832fa733e662bff7ff51349264270d3027c93b3d8c813192b62376e7343e7e588a8b5ebc4199d14c52ffad73106eb1610ea6daa20df69ecfca

/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl

MD5 0261e32bc7b98ade3bd6e333ef49ac04
SHA1 fc0a414ee26b6761b852893da06607f3d16e9a92
SHA256 be55953fb5c06e94d9dfe9372ee096fd09f32bbc58a0816caaae2667df79dae9
SHA512 09256a4965c51084bb0a00e522bb6361d9560332d42102ad499ffab586c21924edcd08635a46cf4d8c085003ee734f05d073795faa01c46738c7314830cfbbee

/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl

MD5 2ae096d579a04b8e8c1bda74fed3044d
SHA1 460faf07c6db051776f3e0db7ec5ff272899a867
SHA256 636f71ff33564a96c59fa4d8c231a496aed2a15e8fef225c5ce2ca8376f840d9
SHA512 8f4bd9e0c132227b9cd225f621cebceda69f2a305f27d225838c76f15b888ae8a624ff755dc80798913259b0b83265025584f73ab6ecfe867094a5c5b3f22ed9

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 e90cd627a8a93ef8318060eb6081d18e
SHA1 3243c3cd3797296829fc58037a752ffb04013c96
SHA256 c4a414cc573a7e89f29ca5a56ece958f70d470e7ce0da336d0faba4b0167da59
SHA512 7849975806d0b151ac2aad9c9099d63ed08dcf53cae9fcf0ed1c3cd033ef00eaaab2799527ee6739ab0695e261d51a5d681efd1eeca01a478dd2b55425ef37b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:57

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

135s

Command Line

com.rgubyqbh.gsaqvdg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rgubyqbh.gsaqvdg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/tmp-base.apk.8ggyxzk3858608340169442139.dhl

MD5 d0388f8d150978dfb99e170c827811cd
SHA1 4cb3c915c7399eac49ecc9473bde97e56e115cd4
SHA256 64fed5ae067b305221c89570274f256c60613f54e7a1363a2b4a32b437abca3e
SHA512 52a6adea12ab4e832fa733e662bff7ff51349264270d3027c93b3d8c813192b62376e7343e7e588a8b5ebc4199d14c52ffad73106eb1610ea6daa20df69ecfca

/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl

MD5 0261e32bc7b98ade3bd6e333ef49ac04
SHA1 fc0a414ee26b6761b852893da06607f3d16e9a92
SHA256 be55953fb5c06e94d9dfe9372ee096fd09f32bbc58a0816caaae2667df79dae9
SHA512 09256a4965c51084bb0a00e522bb6361d9560332d42102ad499ffab586c21924edcd08635a46cf4d8c085003ee734f05d073795faa01c46738c7314830cfbbee

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 e90cd627a8a93ef8318060eb6081d18e
SHA1 3243c3cd3797296829fc58037a752ffb04013c96
SHA256 c4a414cc573a7e89f29ca5a56ece958f70d470e7ce0da336d0faba4b0167da59
SHA512 7849975806d0b151ac2aad9c9099d63ed08dcf53cae9fcf0ed1c3cd033ef00eaaab2799527ee6739ab0695e261d51a5d681efd1eeca01a478dd2b55425ef37b3

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:57

Platform

android-x64-arm64-20240221-en

Max time kernel

153s

Max time network

134s

Command Line

com.rgubyqbh.gsaqvdg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.rgubyqbh.gsaqvdg

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.169.42:443 tcp

Files

/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/tmp-base.apk.8ggyxzk4265119391862364069.dhl

MD5 d0388f8d150978dfb99e170c827811cd
SHA1 4cb3c915c7399eac49ecc9473bde97e56e115cd4
SHA256 64fed5ae067b305221c89570274f256c60613f54e7a1363a2b4a32b437abca3e
SHA512 52a6adea12ab4e832fa733e662bff7ff51349264270d3027c93b3d8c813192b62376e7343e7e588a8b5ebc4199d14c52ffad73106eb1610ea6daa20df69ecfca

/data/user/0/com.rgubyqbh.gsaqvdg/lkkkfkguhv/gmqrtsyhh8ugghz/base.apk.8ggyxzk1.dhl

MD5 0261e32bc7b98ade3bd6e333ef49ac04
SHA1 fc0a414ee26b6761b852893da06607f3d16e9a92
SHA256 be55953fb5c06e94d9dfe9372ee096fd09f32bbc58a0816caaae2667df79dae9
SHA512 09256a4965c51084bb0a00e522bb6361d9560332d42102ad499ffab586c21924edcd08635a46cf4d8c085003ee734f05d073795faa01c46738c7314830cfbbee

/data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.rgubyqbh.gsaqvdg/app_torfiles/torrc

MD5 e90cd627a8a93ef8318060eb6081d18e
SHA1 3243c3cd3797296829fc58037a752ffb04013c96
SHA256 c4a414cc573a7e89f29ca5a56ece958f70d470e7ce0da336d0faba4b0167da59
SHA512 7849975806d0b151ac2aad9c9099d63ed08dcf53cae9fcf0ed1c3cd033ef00eaaab2799527ee6739ab0695e261d51a5d681efd1eeca01a478dd2b55425ef37b3

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:55

Platform

android-x86-arm-20240221-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:55

Platform

android-x64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-01 15:55

Reported

2024-04-01 15:55

Platform

android-x64-arm64-20240221-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp

Files

N/A