Malware Analysis Report

2024-10-19 12:04

Sample ID 240402-jpac9sbc7s
Target 86bb307f9ba9c1682f51f815291af8ee_JaffaCakes118
SHA256 31c48d66728074af59cc9a818cff654297543bcc67fe11b17a0b22b0abd22680
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31c48d66728074af59cc9a818cff654297543bcc67fe11b17a0b22b0abd22680

Threat Level: Known bad

The file 86bb307f9ba9c1682f51f815291af8ee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 07:50

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 07:50

Reported

2024-04-02 07:52

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

158s

Command Line

com.bvropigp.scuowtq

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bvropigp.scuowtq

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.bvropigp.scuowtq/app_torfiles/tor /data/user/0/com.bvropigp.scuowtq/app_torfiles/tor -f /data/user/0/com.bvropigp.scuowtq/app_torfiles/torrc __OwningControllerProcess 4186

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
CA 204.11.50.131:9001 tcp
US 128.31.0.39:9101 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
SE 178.16.208.59:443 tcp
FR 51.255.41.65:9001 tcp
NL 194.109.206.212:443 tcp
SE 178.16.208.60:443 tcp
CZ 46.28.110.244:443 tcp
AT 86.59.21.38:443 tcp
FR 37.187.22.87:9001 tcp
DE 142.132.204.165:4080 tcp
FI 95.216.19.41:9030 tcp
SE 98.128.175.45:443 tcp

Files

/data/data/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/tmp-base.apk.uyuehfm7664543430473666192.rhh

MD5 ce32660aea9bb6df5334df6c1b23e9db
SHA1 18636d7d371b2055b92412c5b0a46a0cf9115ec4
SHA256 8d4038e0b3b633866235d51d87bb48e61d501d9b657736a9add75e76478eab3b
SHA512 88a88527e60789e1d9e0427f7f0be5ef885eef45388b8524dad631fa64f57cfc85f8fb31f1b5a6128c409514b9a3cc893af92a45de3578dd63bc6f1ea0ac2df1

/data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh

MD5 913a35f4d27a6145854a32f33fff4fe5
SHA1 7abf0bae19c7c2c9bae05a50311ad1b707f1ed2a
SHA256 e5e662e7d4e75cadd70a62323a0b417662281ceeac0b948bf68e1c4bed4c3835
SHA512 f396762928ee6df352c1027f2782fda1c6eb4df7531c7f0889777f05da7e21692469079f8e0f79056f52c0d84018b7175eadf02be325fb9788db5fb64fdb2741

/data/data/com.bvropigp.scuowtq/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.bvropigp.scuowtq/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.bvropigp.scuowtq/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 b382b1ca748d0cda4e85eaf998bf743e
SHA1 fe973ca086b7344e7f4b88c665002d4dcc130e77
SHA256 129a19c7db43da90d5bcfeeae9346eff7fcc6e55e55fc3ab28284a9f0c592179
SHA512 f5c3168536ad66f053e1a5eb1f0d44eb352c8c94fda1d66168771ccebf8b4032d19ccf783d865b20c631e23f359239f41f1939d1269e937c58da11c4d31a74dc

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 07:50

Reported

2024-04-02 07:52

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

135s

Command Line

com.bvropigp.scuowtq

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bvropigp.scuowtq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/tmp-base.apk.uyuehfm7919025957512171606.rhh

MD5 ce32660aea9bb6df5334df6c1b23e9db
SHA1 18636d7d371b2055b92412c5b0a46a0cf9115ec4
SHA256 8d4038e0b3b633866235d51d87bb48e61d501d9b657736a9add75e76478eab3b
SHA512 88a88527e60789e1d9e0427f7f0be5ef885eef45388b8524dad631fa64f57cfc85f8fb31f1b5a6128c409514b9a3cc893af92a45de3578dd63bc6f1ea0ac2df1

/data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh

MD5 913a35f4d27a6145854a32f33fff4fe5
SHA1 7abf0bae19c7c2c9bae05a50311ad1b707f1ed2a
SHA256 e5e662e7d4e75cadd70a62323a0b417662281ceeac0b948bf68e1c4bed4c3835
SHA512 f396762928ee6df352c1027f2782fda1c6eb4df7531c7f0889777f05da7e21692469079f8e0f79056f52c0d84018b7175eadf02be325fb9788db5fb64fdb2741

/data/data/com.bvropigp.scuowtq/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.bvropigp.scuowtq/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.bvropigp.scuowtq/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 b382b1ca748d0cda4e85eaf998bf743e
SHA1 fe973ca086b7344e7f4b88c665002d4dcc130e77
SHA256 129a19c7db43da90d5bcfeeae9346eff7fcc6e55e55fc3ab28284a9f0c592179
SHA512 f5c3168536ad66f053e1a5eb1f0d44eb352c8c94fda1d66168771ccebf8b4032d19ccf783d865b20c631e23f359239f41f1939d1269e937c58da11c4d31a74dc

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 07:50

Reported

2024-04-02 07:52

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

com.bvropigp.scuowtq

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bvropigp.scuowtq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/tmp-base.apk.uyuehfm5963557465966091130.rhh

MD5 ce32660aea9bb6df5334df6c1b23e9db
SHA1 18636d7d371b2055b92412c5b0a46a0cf9115ec4
SHA256 8d4038e0b3b633866235d51d87bb48e61d501d9b657736a9add75e76478eab3b
SHA512 88a88527e60789e1d9e0427f7f0be5ef885eef45388b8524dad631fa64f57cfc85f8fb31f1b5a6128c409514b9a3cc893af92a45de3578dd63bc6f1ea0ac2df1

/data/user/0/com.bvropigp.scuowtq/qmfcjyisyf/ahdhpygjkky8ksa/base.apk.uyuehfm1.rhh

MD5 913a35f4d27a6145854a32f33fff4fe5
SHA1 7abf0bae19c7c2c9bae05a50311ad1b707f1ed2a
SHA256 e5e662e7d4e75cadd70a62323a0b417662281ceeac0b948bf68e1c4bed4c3835
SHA512 f396762928ee6df352c1027f2782fda1c6eb4df7531c7f0889777f05da7e21692469079f8e0f79056f52c0d84018b7175eadf02be325fb9788db5fb64fdb2741

/data/user/0/com.bvropigp.scuowtq/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.bvropigp.scuowtq/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.bvropigp.scuowtq/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.bvropigp.scuowtq/app_torfiles/torrc

MD5 b382b1ca748d0cda4e85eaf998bf743e
SHA1 fe973ca086b7344e7f4b88c665002d4dcc130e77
SHA256 129a19c7db43da90d5bcfeeae9346eff7fcc6e55e55fc3ab28284a9f0c592179
SHA512 f5c3168536ad66f053e1a5eb1f0d44eb352c8c94fda1d66168771ccebf8b4032d19ccf783d865b20c631e23f359239f41f1939d1269e937c58da11c4d31a74dc