Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    08-04-2024 01:19

General

  • Target

    e64e9fc94ff0b95e5c0cf2b38be94502_JaffaCakes118.apk

  • Size

    3.1MB

  • MD5

    e64e9fc94ff0b95e5c0cf2b38be94502

  • SHA1

    7c9861d9fb7b00ea43113d7a36902b2c2525a1ee

  • SHA256

    d97aab6e351401596e170f056c3833bfd709cf44a2db97739a9129910fe2ece1

  • SHA512

    59bafd293766ac2aa60d06fe375eb4e4855dbb4d88577b83995fe0970960dadc9bf442bcba96d2bca8f757d6035e9c90ee45f1a66f934d8b13fe710da3ead220

  • SSDEEP

    49152:YR2dtusPvSD0goCVIvBN/wVIxFeLuZtRqG69FF3w67KDzCxTn5fl3MHOL1:YR2dtlPqD0oOHwGFttRqlvd7Xhqg

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator. 1 TTPs

Processes

  • com.yzojnxnf.buzdnua
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/tmp-base.apk.classes7876317260122057150.zip

    Filesize

    378KB

    MD5

    22461312922193347c5757959b7b8822

    SHA1

    ac343cd4e2b12b20a22e97e1c0ea69742a3ae287

    SHA256

    364451f204343b864bd2a0d4cadbcac05a9f59942a4a351ebd7fcb0e210dfaed

    SHA512

    7b8f58aceb39ed19ab85b2414ba135236e03dd12e4df373a5a8450519e096560096ebc1436ec470127569dadd6a015c8e961fe0801a442f5fa6624fa43375c43

  • /data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    e6f382e34842e02a8777077c74ed0dea

    SHA1

    60767bc7c91475c1a63ba074bc8549bb3aabac97

    SHA256

    ae977aa24838f08096f8b0c4840fe2eac8deefe3b0ba7fdef7740a449bbd3b50

    SHA512

    3eadfcd05f8b2d60293243e7ab1cc5d148fd00ef3e2efae0e121fc63b78b382967a2e625774e7a7ab7b3808cc2f71d3a66d84f7e1994627b0ac5368c59a31c8a

  • /data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    32402d48b275e41cc5442589a81990e1

    SHA1

    f76850317f3b3c84b57e91703f59b3f7d697577e

    SHA256

    9b69e3577180577a26eca85b5d81154ed7533376363d0e43328db7d081a275ee

    SHA512

    a5e1cad53f86c144ec123112b7dd0428d5446e85e4e20ac1260dbfba3132b1e1bf49f4ffbeffc94a1d561ab0def8f32e42d493a1cf49b370a14a76e6523ad1fc