Malware Analysis Report

2024-10-19 12:04

Sample ID 240404-evpypaed7y
Target af63addf891e3e4a65d704439a6f8d7e_JaffaCakes118
SHA256 2cba43b0863ac8248f4f3ec1f7b34162429fe7a7e97d5939874a1875e5fcd44c
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cba43b0863ac8248f4f3ec1f7b34162429fe7a7e97d5939874a1875e5fcd44c

Threat Level: Known bad

The file af63addf891e3e4a65d704439a6f8d7e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 04:15

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 04:15

Reported

2024-04-04 04:18

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

158s

Command Line

com.xaegotnj.mcgrzsz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff N/A N/A
N/A /data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.xaegotnj.mcgrzsz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/oat/x86/base.apk.yf8gnul1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/tor /data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/tor -f /data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/torrc __OwningControllerProcess 4314

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 178.254.44.135:9001 tcp
AT 86.59.21.38:443 tcp
DE 178.254.44.135:9001 tcp
DE 46.252.26.2:49991 tcp
DE 51.77.71.247:9001 tcp
DE 144.76.43.199:9001 tcp
DE 185.254.96.139:9200 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
DE 185.254.96.139:9200 tcp
DE 51.77.71.247:9001 tcp

Files

/data/data/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/tmp-base.apk.yf8gnul692167626676495450.fff

MD5 dff665843451e980cf2bca62803e1b3b
SHA1 8151dea57b707fa3405a3801a2da8136cb64590a
SHA256 c4203101a336e9fddf865b2f6f51de9e9e6605ba2fc858587f89a0a76f71e65d
SHA512 bc14124769076ecb02f6c9011e246f9b8d4486a6693df1ab59969afd645c191a2a344a6e2949e9180b3df5a46adface941e8c074e53ee2dcaaf2c8db8f770fb3

/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff

MD5 acca3054e793de25c8f416df6a2035e9
SHA1 148645cc5e2a3c2e02beb16e591bffb07e2b4865
SHA256 edeb40e51715892d8105b872d50045f8f91c554b5d48c4ce9f05713e77cbf8d6
SHA512 90139b81f0b2927b07b989de9b0136717e8bc9c0fcc066eea4ae5ea9f6b292dece4c68821ce48941663355494653f5f005f8139efe9367ae3b54d50ad8b5c62e

/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff

MD5 310da7642faad26b2c3cae2e27949700
SHA1 b83cbc1a96050eced53ff5966533cf6b58174a23
SHA256 ed6cad4f1fe35d1cec19e77e25a2a2228ed87d18b41266e6dba5d6cf3a1bc42f
SHA512 fe337189ae751d57c3e0ca63c675d3bdec903eabb5674250d2a4bc73d3b48133b47b110c896166bbd24d4dae3020fcf5ae88046885714eab23684ff0aba39ed4

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 3bc7e3d544a28c94785cc4ce50019813
SHA1 49aa606111d62aa7b1de630740be3e74d27422a7
SHA256 6901e15d8b77e2dd5ce247f0192017a5651599c8eb07a04dad85bd961ac55fb2
SHA512 a3c0514af1dbce43c52d399be8d5c4659bf091b2faf063c2fe3af629d24b886db7222fcb5bc50c36eb4a815a26afdd9a0541510e4d5d82fab9cbef4821ad40e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 04:15

Reported

2024-04-04 04:18

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

135s

Command Line

com.xaegotnj.mcgrzsz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.xaegotnj.mcgrzsz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/tmp-base.apk.yf8gnul948302641226652289.fff

MD5 dff665843451e980cf2bca62803e1b3b
SHA1 8151dea57b707fa3405a3801a2da8136cb64590a
SHA256 c4203101a336e9fddf865b2f6f51de9e9e6605ba2fc858587f89a0a76f71e65d
SHA512 bc14124769076ecb02f6c9011e246f9b8d4486a6693df1ab59969afd645c191a2a344a6e2949e9180b3df5a46adface941e8c074e53ee2dcaaf2c8db8f770fb3

/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff

MD5 acca3054e793de25c8f416df6a2035e9
SHA1 148645cc5e2a3c2e02beb16e591bffb07e2b4865
SHA256 edeb40e51715892d8105b872d50045f8f91c554b5d48c4ce9f05713e77cbf8d6
SHA512 90139b81f0b2927b07b989de9b0136717e8bc9c0fcc066eea4ae5ea9f6b292dece4c68821ce48941663355494653f5f005f8139efe9367ae3b54d50ad8b5c62e

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 3bc7e3d544a28c94785cc4ce50019813
SHA1 49aa606111d62aa7b1de630740be3e74d27422a7
SHA256 6901e15d8b77e2dd5ce247f0192017a5651599c8eb07a04dad85bd961ac55fb2
SHA512 a3c0514af1dbce43c52d399be8d5c4659bf091b2faf063c2fe3af629d24b886db7222fcb5bc50c36eb4a815a26afdd9a0541510e4d5d82fab9cbef4821ad40e1

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-04 04:15

Reported

2024-04-04 04:18

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

com.xaegotnj.mcgrzsz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.xaegotnj.mcgrzsz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp

Files

/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/tmp-base.apk.yf8gnul883855765711200223.fff

MD5 dff665843451e980cf2bca62803e1b3b
SHA1 8151dea57b707fa3405a3801a2da8136cb64590a
SHA256 c4203101a336e9fddf865b2f6f51de9e9e6605ba2fc858587f89a0a76f71e65d
SHA512 bc14124769076ecb02f6c9011e246f9b8d4486a6693df1ab59969afd645c191a2a344a6e2949e9180b3df5a46adface941e8c074e53ee2dcaaf2c8db8f770fb3

/data/user/0/com.xaegotnj.mcgrzsz/8ijgnwbbIj/bffnbjsbfnUwkIh/base.apk.yf8gnul1.fff

MD5 acca3054e793de25c8f416df6a2035e9
SHA1 148645cc5e2a3c2e02beb16e591bffb07e2b4865
SHA256 edeb40e51715892d8105b872d50045f8f91c554b5d48c4ce9f05713e77cbf8d6
SHA512 90139b81f0b2927b07b989de9b0136717e8bc9c0fcc066eea4ae5ea9f6b292dece4c68821ce48941663355494653f5f005f8139efe9367ae3b54d50ad8b5c62e

/data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.xaegotnj.mcgrzsz/app_torfiles/torrc

MD5 3bc7e3d544a28c94785cc4ce50019813
SHA1 49aa606111d62aa7b1de630740be3e74d27422a7
SHA256 6901e15d8b77e2dd5ce247f0192017a5651599c8eb07a04dad85bd961ac55fb2
SHA512 a3c0514af1dbce43c52d399be8d5c4659bf091b2faf063c2fe3af629d24b886db7222fcb5bc50c36eb4a815a26afdd9a0541510e4d5d82fab9cbef4821ad40e1