Malware Analysis Report

2024-10-19 12:04

Sample ID 240410-kgztmacf9z
Target eaaa603ceed4c9a3d707b552b6a895a3_JaffaCakes118
SHA256 4ee193d7a93bbf1d0ae9ea86d775eee37f9e4fde4b9f025aa7c8e102dbfebfc7
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ee193d7a93bbf1d0ae9ea86d775eee37f9e4fde4b9f025aa7c8e102dbfebfc7

Threat Level: Known bad

The file eaaa603ceed4c9a3d707b552b6a895a3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 08:35

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 08:35

Reported

2024-04-10 08:38

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

131s

Command Line

com.tpxrxuuy.fitfqgd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tpxrxuuy.fitfqgd

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/tmp-base.apk.classes2371235773398201526.zip

MD5 272f8c2c69e5b7c8ea2b63ba465e4a09
SHA1 247cb67d11c0c1e6a16f30e61418ffe7826707f7
SHA256 08f2c9a8198cc711aabfc872b6a26e67e68ae509c06b462551881ead1a7763b5
SHA512 8476633aea2286f229008a5eb279f9f7f42287dadac1fb1b90396b2ff5162112f0854f1c90b0177b07da6e691ba2742d1a05ccddf7e0f0444ee3cda189215e76

/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6ad4459f413e92d160011d6cc7901c1b
SHA1 2d077c13773d6ff77b2510eea67f6bd645f4e769
SHA256 1221c2dd1d591eb578d676513169fbd74de7904769e1cfa5401e557735767c20
SHA512 0cb47a4e50fd29388bb02b5802aa22f6cbf7c8db430f0a338d7426fa3547055ec4025208ffd83729fd372d91a22213bb774c36017105d08a5a01efc9f8575fa2

/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 fafc24437a93ea3e27504bdbbee792ac
SHA1 dd1de39bcb00c2f74ae969c92cb517833cbc5033
SHA256 f31afdded2bc14a8fb5ab4ed36ae86a25f182b93a84da13314618c28089d13ff
SHA512 a19aa84cb7b24fc713cc82b02a9d562bfc347e4b2954bd738ce42af373ec1577299736ad0d9dc74f3f856d5363b8302148b187da95b4dcfb9956ee8e093ce210

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 08:35

Reported

2024-04-10 08:38

Platform

android-x64-20240221-en

Max time kernel

154s

Max time network

146s

Command Line

com.tpxrxuuy.fitfqgd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tpxrxuuy.fitfqgd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/tmp-base.apk.classes869219423482140383.zip

MD5 272f8c2c69e5b7c8ea2b63ba465e4a09
SHA1 247cb67d11c0c1e6a16f30e61418ffe7826707f7
SHA256 08f2c9a8198cc711aabfc872b6a26e67e68ae509c06b462551881ead1a7763b5
SHA512 8476633aea2286f229008a5eb279f9f7f42287dadac1fb1b90396b2ff5162112f0854f1c90b0177b07da6e691ba2742d1a05ccddf7e0f0444ee3cda189215e76

/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6ad4459f413e92d160011d6cc7901c1b
SHA1 2d077c13773d6ff77b2510eea67f6bd645f4e769
SHA256 1221c2dd1d591eb578d676513169fbd74de7904769e1cfa5401e557735767c20
SHA512 0cb47a4e50fd29388bb02b5802aa22f6cbf7c8db430f0a338d7426fa3547055ec4025208ffd83729fd372d91a22213bb774c36017105d08a5a01efc9f8575fa2

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 08:35

Reported

2024-04-10 08:38

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

143s

Command Line

com.tpxrxuuy.fitfqgd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.tpxrxuuy.fitfqgd

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/tmp-base.apk.classes1379836960775835340.zip

MD5 272f8c2c69e5b7c8ea2b63ba465e4a09
SHA1 247cb67d11c0c1e6a16f30e61418ffe7826707f7
SHA256 08f2c9a8198cc711aabfc872b6a26e67e68ae509c06b462551881ead1a7763b5
SHA512 8476633aea2286f229008a5eb279f9f7f42287dadac1fb1b90396b2ff5162112f0854f1c90b0177b07da6e691ba2742d1a05ccddf7e0f0444ee3cda189215e76

/data/user/0/com.tpxrxuuy.fitfqgd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6ad4459f413e92d160011d6cc7901c1b
SHA1 2d077c13773d6ff77b2510eea67f6bd645f4e769
SHA256 1221c2dd1d591eb578d676513169fbd74de7904769e1cfa5401e557735767c20
SHA512 0cb47a4e50fd29388bb02b5802aa22f6cbf7c8db430f0a338d7426fa3547055ec4025208ffd83729fd372d91a22213bb774c36017105d08a5a01efc9f8575fa2