Malware Analysis Report

2024-10-19 12:04

Sample ID 240404-svt5asbc3y
Target bbdfddc05f32e4d7421e7b29dc2c2d48_JaffaCakes118
SHA256 ea391f65ae367799ab1bc162a4b8dcedb76f1da1e5595548497d943298f18682
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea391f65ae367799ab1bc162a4b8dcedb76f1da1e5595548497d943298f18682

Threat Level: Known bad

The file bbdfddc05f32e4d7421e7b29dc2c2d48_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Checks memory information

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Looks up external IP address via web service

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 15:27

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 15:27

Reported

2024-04-04 15:29

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

158s

Command Line

com.nhpbwede.sandbga

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz N/A N/A
N/A /data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.nhpbwede.sandbga

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/oat/x86/base.apk.ckIkjit1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.nhpbwede.sandbga/app_torfiles/tor /data/user/0/com.nhpbwede.sandbga/app_torfiles/tor -f /data/user/0/com.nhpbwede.sandbga/app_torfiles/torrc __OwningControllerProcess 4459

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
NO 185.35.202.221:9001 tcp
DE 193.23.244.244:443 tcp
NL 188.166.133.133:9001 tcp
CH 176.10.104.240:443 tcp
SE 193.11.114.43:9001 tcp
CA 199.58.81.140:443 tcp
US 173.255.245.116:9001 tcp
DE 49.12.224.203:8000 tcp
CA 54.39.118.29:8080 tcp
US 172.234.30.98:443 tcp

Files

/data/data/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/tmp-base.apk.ckIkjit3756882579801380414.kaz

MD5 4cdd3f0700ddf92349822124b1430edd
SHA1 658b0e40b9dac10823cde9c1c3cc8b0a46e5f627
SHA256 c93fb19e501c42229c34334c2cedc038259c64cc4d3143977ad7d2f8f885b206
SHA512 f44a13afcec3e6b84773610a2b7c766602e1bf89a6edb2b9d68e252c90e072a773d6fe593476fcab85f734ff7f022dd8a39a8d6ce7c5d3e43b24704c64b16466

/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz

MD5 3068f0610de37179d9e55a1c48b9440e
SHA1 c83ee13ad5a0e66a7da98839f7111e12c96c27ae
SHA256 d2104acbafe0b2117785ded6c98c2a0e49ffdcddc16b484e58be67d68477e88b
SHA512 90d99350962665d3c0f5ca7c8a6390287f64f1db9de96cba70a3bd755bd0220c8321e441ba5770e0e5c30053e3cb67be590b440b7ef97af347438a008d7d52e4

/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz

MD5 86ae1a3263fe68e089250d91c52248a6
SHA1 99e30337593035263caa241904468beef5df61a3
SHA256 40c7b9632bdbd9a9f937a93035db2815f69efcdfb0451e1a108bdcfd04a27ecb
SHA512 05818d819d465bdd9a0c204c72cc254cbc6fe7211903966e64eb928ed006739ad53314297e41825ccff539283fda1db8aac106f1fef9a384325f468a12b8919e

/data/data/com.nhpbwede.sandbga/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.nhpbwede.sandbga/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.nhpbwede.sandbga/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 ef1d339fec9774769eb3d00f3e897cc0
SHA1 1a8caa23654ebb1d6794ac47403d85e046e99a53
SHA256 20692b83ec6c9f37fa58a884f4a7e8f1547023f6841d27b55a7290f5ff42be0b
SHA512 0ebe96a32bc1503f7993616fe174cd6c1efba95650cccf57f91f153d09dd94a188abf8d13b20037426e4437d626c1ffed92d7284d47dc9d5eb9fe20f6dcaeae0

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 15:27

Reported

2024-04-04 15:30

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

136s

Command Line

com.nhpbwede.sandbga

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.nhpbwede.sandbga

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/tmp-base.apk.ckIkjit1273199209908475489.kaz

MD5 4cdd3f0700ddf92349822124b1430edd
SHA1 658b0e40b9dac10823cde9c1c3cc8b0a46e5f627
SHA256 c93fb19e501c42229c34334c2cedc038259c64cc4d3143977ad7d2f8f885b206
SHA512 f44a13afcec3e6b84773610a2b7c766602e1bf89a6edb2b9d68e252c90e072a773d6fe593476fcab85f734ff7f022dd8a39a8d6ce7c5d3e43b24704c64b16466

/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz

MD5 3068f0610de37179d9e55a1c48b9440e
SHA1 c83ee13ad5a0e66a7da98839f7111e12c96c27ae
SHA256 d2104acbafe0b2117785ded6c98c2a0e49ffdcddc16b484e58be67d68477e88b
SHA512 90d99350962665d3c0f5ca7c8a6390287f64f1db9de96cba70a3bd755bd0220c8321e441ba5770e0e5c30053e3cb67be590b440b7ef97af347438a008d7d52e4

/data/data/com.nhpbwede.sandbga/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.nhpbwede.sandbga/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.nhpbwede.sandbga/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 ef1d339fec9774769eb3d00f3e897cc0
SHA1 1a8caa23654ebb1d6794ac47403d85e046e99a53
SHA256 20692b83ec6c9f37fa58a884f4a7e8f1547023f6841d27b55a7290f5ff42be0b
SHA512 0ebe96a32bc1503f7993616fe174cd6c1efba95650cccf57f91f153d09dd94a188abf8d13b20037426e4437d626c1ffed92d7284d47dc9d5eb9fe20f6dcaeae0

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-04 15:27

Reported

2024-04-04 15:30

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

140s

Command Line

com.nhpbwede.sandbga

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.nhpbwede.sandbga

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/tmp-base.apk.ckIkjit967489685972892922.kaz

MD5 4cdd3f0700ddf92349822124b1430edd
SHA1 658b0e40b9dac10823cde9c1c3cc8b0a46e5f627
SHA256 c93fb19e501c42229c34334c2cedc038259c64cc4d3143977ad7d2f8f885b206
SHA512 f44a13afcec3e6b84773610a2b7c766602e1bf89a6edb2b9d68e252c90e072a773d6fe593476fcab85f734ff7f022dd8a39a8d6ce7c5d3e43b24704c64b16466

/data/user/0/com.nhpbwede.sandbga/jh8ptpwgbJ/jcblhnvfUkbbuva/base.apk.ckIkjit1.kaz

MD5 3068f0610de37179d9e55a1c48b9440e
SHA1 c83ee13ad5a0e66a7da98839f7111e12c96c27ae
SHA256 d2104acbafe0b2117785ded6c98c2a0e49ffdcddc16b484e58be67d68477e88b
SHA512 90d99350962665d3c0f5ca7c8a6390287f64f1db9de96cba70a3bd755bd0220c8321e441ba5770e0e5c30053e3cb67be590b440b7ef97af347438a008d7d52e4

/data/user/0/com.nhpbwede.sandbga/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.nhpbwede.sandbga/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.nhpbwede.sandbga/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.nhpbwede.sandbga/app_torfiles/torrc

MD5 ef1d339fec9774769eb3d00f3e897cc0
SHA1 1a8caa23654ebb1d6794ac47403d85e046e99a53
SHA256 20692b83ec6c9f37fa58a884f4a7e8f1547023f6841d27b55a7290f5ff42be0b
SHA512 0ebe96a32bc1503f7993616fe174cd6c1efba95650cccf57f91f153d09dd94a188abf8d13b20037426e4437d626c1ffed92d7284d47dc9d5eb9fe20f6dcaeae0