Malware Analysis Report

2024-10-19 12:04

Sample ID 240407-zj2hkaed78
Target e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118
SHA256 2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ba94628cffefb0fc52a5bc61982b5e8dfd2f8afa03bd86030b200ff1c7c1c67

Threat Level: Known bad

The file e5d247675ac5a1326fead1be2d22cf16_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 20:45

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 20:45

Reported

2024-04-08 19:51

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

130s

Command Line

com.yifjjlyw.mbqtimw

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yifjjlyw.mbqtimw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes2562076101568266421.zip

MD5 0e030f478a541ec401d1a56529d1d63f
SHA1 86e6a81d10e3f71c923c88e18b1376d241e8b69e
SHA256 545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a
SHA512 60b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6760c9bc32517de556353c07a9e838ce
SHA1 5c45721646cea792bcb13e45300a5eeb31e8c9de
SHA256 fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9
SHA512 71c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 ca464b7b9c757be391d96f538799d390
SHA1 74b10e3645ca1c0ea8ab1b8deacac38ad0f9ec6e
SHA256 40fbbc8243c0203ed20582e3df70cc642ac68b674a96c149db7119604d08f15a
SHA512 7314830a7ecb6c812e0b284c3efc3cd3f565661172549a9ca947e343d9393da6fd67d15c34f543985ed82f9236a27a5d3a2e7a1f79d77590ea751132942ffbc2

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 20:45

Reported

2024-04-08 15:11

Platform

android-x64-20240221-en

Max time kernel

149s

Max time network

136s

Command Line

com.yifjjlyw.mbqtimw

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yifjjlyw.mbqtimw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes8499293441533632741.zip

MD5 0e030f478a541ec401d1a56529d1d63f
SHA1 86e6a81d10e3f71c923c88e18b1376d241e8b69e
SHA256 545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a
SHA512 60b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6760c9bc32517de556353c07a9e838ce
SHA1 5c45721646cea792bcb13e45300a5eeb31e8c9de
SHA256 fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9
SHA512 71c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 20:45

Reported

2024-04-08 15:11

Platform

android-x64-arm64-20240221-en

Max time kernel

154s

Max time network

135s

Command Line

com.yifjjlyw.mbqtimw

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yifjjlyw.mbqtimw

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.180.10:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/tmp-base.apk.classes8458562596813523222.zip

MD5 0e030f478a541ec401d1a56529d1d63f
SHA1 86e6a81d10e3f71c923c88e18b1376d241e8b69e
SHA256 545e0b970d1d73b80e928bbe3dd96b793e7289ac1d182d3c79ab062f54443c9a
SHA512 60b9a4159882dd5aa060ec3ac6a663072f1770dcb8555334960cc7e4da39faa68aa94720e46f299202602209401a085fb865b756b9d17dcfe2aaf1e7a37a24dd

/data/user/0/com.yifjjlyw.mbqtimw/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6760c9bc32517de556353c07a9e838ce
SHA1 5c45721646cea792bcb13e45300a5eeb31e8c9de
SHA256 fc9dbc1817960c0702dba102270ffd3678e2e635c0988985e4045e6731ec5df9
SHA512 71c33a5810ce6812154595dc0b394d50fd072afcd1845618d493aacfc983e80290b7050e096d6975a3363cf40ae614d8736049f319c3e0c2b77435b3be3ca5c0