Analysis
-
max time kernel
149s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
08-04-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
e64e9fc94ff0b95e5c0cf2b38be94502_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
e64e9fc94ff0b95e5c0cf2b38be94502_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
e64e9fc94ff0b95e5c0cf2b38be94502_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
e64e9fc94ff0b95e5c0cf2b38be94502_JaffaCakes118.apk
-
Size
3.1MB
-
MD5
e64e9fc94ff0b95e5c0cf2b38be94502
-
SHA1
7c9861d9fb7b00ea43113d7a36902b2c2525a1ee
-
SHA256
d97aab6e351401596e170f056c3833bfd709cf44a2db97739a9129910fe2ece1
-
SHA512
59bafd293766ac2aa60d06fe375eb4e4855dbb4d88577b83995fe0970960dadc9bf442bcba96d2bca8f757d6035e9c90ee45f1a66f934d8b13fe710da3ead220
-
SSDEEP
49152:YR2dtusPvSD0goCVIvBN/wVIxFeLuZtRqG69FF3w67KDzCxTn5fl3MHOL1:YR2dtlPqD0oOHwGFttRqlvd7Xhqg
Malware Config
Signatures
-
Hydra
Android banker and info stealer.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.yzojnxnf.buzdnua Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.yzojnxnf.buzdnua -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip 4290 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip 4262 com.yzojnxnf.buzdnua -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Reads information about phone network operator. 1 TTPs
Processes
-
com.yzojnxnf.buzdnua1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
PID:4262 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4290
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.yzojnxnf.buzdnua/code_cache/secondary-dexes/tmp-base.apk.classes7876317260122057150.zip
Filesize378KB
MD522461312922193347c5757959b7b8822
SHA1ac343cd4e2b12b20a22e97e1c0ea69742a3ae287
SHA256364451f204343b864bd2a0d4cadbcac05a9f59942a4a351ebd7fcb0e210dfaed
SHA5127b8f58aceb39ed19ab85b2414ba135236e03dd12e4df373a5a8450519e096560096ebc1436ec470127569dadd6a015c8e961fe0801a442f5fa6624fa43375c43
-
Filesize
902KB
MD5e6f382e34842e02a8777077c74ed0dea
SHA160767bc7c91475c1a63ba074bc8549bb3aabac97
SHA256ae977aa24838f08096f8b0c4840fe2eac8deefe3b0ba7fdef7740a449bbd3b50
SHA5123eadfcd05f8b2d60293243e7ab1cc5d148fd00ef3e2efae0e121fc63b78b382967a2e625774e7a7ab7b3808cc2f71d3a66d84f7e1994627b0ac5368c59a31c8a
-
Filesize
902KB
MD532402d48b275e41cc5442589a81990e1
SHA1f76850317f3b3c84b57e91703f59b3f7d697577e
SHA2569b69e3577180577a26eca85b5d81154ed7533376363d0e43328db7d081a275ee
SHA512a5e1cad53f86c144ec123112b7dd0428d5446e85e4e20ac1260dbfba3132b1e1bf49f4ffbeffc94a1d561ab0def8f32e42d493a1cf49b370a14a76e6523ad1fc