Analysis
-
max time kernel
149s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
07-04-2024 20:45
Static task
static1
Behavioral task
behavioral1
Sample
e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118.apk
-
Size
3.0MB
-
MD5
e5d247675ac5a1326fead1be2d22cf16
-
SHA1
2c384fdaa45c5496fc649ae227fa7b5e9ae3e363
-
SHA256
2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67
-
SHA512
70c8a9084ce41b0ee48e95f761ec51b870aae2c93c0a492c20b043e659d410623360ab80aafb0590792fdcc7a5efd1a8920f0ee5bd289e5eb701de5f234d4fba
-
SSDEEP
49152:ZZ3Fhu5v+oeX7tQ0gYZ1r6svkRQYGdHgMjVwAf6BwGf6fkPiK2pFd4MfXqiDo/Jz:ZTYtAZQ4wR7G5g4VbfOVu9FdhvWmkv
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.yifjjlyw.mbqtimw Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.yifjjlyw.mbqtimw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip 4494 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip 4466 com.yifjjlyw.mbqtimw -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
-
com.yifjjlyw.mbqtimw1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4466 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4494
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes2562076101568266421.zip
Filesize378KB
MD50e030f478a541ec401d1a56529d1d63f
SHA186e6a81d10e3f71c923c88e18b1376d241e8b69e
SHA256545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a
SHA51260b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd
-
Filesize
902KB
MD5ca464b7b9c757be391d96f538799d390
SHA174b10e3645ca1c0ea8ab1b8deacac38ad0f9ec6e
SHA25640fbbc8243c0203ed20582e3df70cc642ac68b674a96c149db7119604d08f15a
SHA5127314830a7ecb6c812e0b284c3efc3cd3f565661172549a9ca947e343d9393da6fd67d15c34f543985ed82f9236a27a5d3a2e7a1f79d77590ea751132942ffbc2
-
Filesize
902KB
MD56760c9bc32517de556353c07a9e838ce
SHA15c45721646cea792bcb13e45300a5eeb31e8c9de
SHA256fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9
SHA51271c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0