Malware Analysis Report

2024-10-19 12:04

Sample ID 240411-s5e35aef26
Target edc5eeb1f0ff10f5e2506d9d032a8d67_JaffaCakes118
SHA256 faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e

Threat Level: Known bad

The file edc5eeb1f0ff10f5e2506d9d032a8d67_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Checks memory information

Declares broadcast receivers with permission to handle system events

Looks up external IP address via web service

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 15:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 15:42

Reported

2024-04-11 15:45

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

com.bfyjyhdj.fdmomgg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bfyjyhdj.fdmomgg

/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/tor /data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/tor -f /data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/torrc __OwningControllerProcess 4186

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
SE 178.16.208.59:443 tcp
AT 86.59.21.38:443 tcp
DE 144.76.163.93:9001 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
DE 144.76.26.175:9011 tcp
CA 199.58.81.140:443 tcp
DE 81.30.158.213:9001 tcp
DE 81.30.158.213:9001 tcp
DE 217.79.181.76:443 tcp
FR 212.83.167.220:443 tcp
US 51.81.56.91:443 tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/tmp-base.apk.8mjqgfj4398501852449579996.tlp

MD5 a7a59c126916f86b13e9dc8615f40cee
SHA1 981c723a4144d2a98000f0fbc488e0634d29f17b
SHA256 290709bad1706a0b6ac4eb8485a23cc179b024c8374eb382e1967eb61745a9ed
SHA512 cca0a27f29ccff9d144ab159c0279d575c960d8396e9afc1955cc12c7e3bd697e262d62882d507cc056a56a4e51e4b00410a976a4b6be16db3da12da1c5d34f8

/data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp

MD5 e4cf0ee8c003cd2cecc1cc7067339607
SHA1 85a5ea50964141ed4c41fa49464302943b298e9c
SHA256 fd3055c36c8ae8968a7f3d16c482946716482ff3c8694ada62c48defd37f5551
SHA512 dda55b1fcee68de457a1d3144158cb8ab5ff3e23f11bbd95c528201351c00916af1daf7ccb648283ff63aef8ad955c84e9cdfeb109d8a5073e7bf9097e26883f

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 e75bc224182bbb2e9f5368f88aeebf6f
SHA1 38dffa9babaea6a871374b91e9eb06601e7b82b9
SHA256 c6fb72e1bc29f3f1c35bd25fd75e3e9581ae2635a5262576f1e7a7511aa80b20
SHA512 69261fcb4ff1f08f87cbd95fe98930b9f65bd380b467af71cca8843906e7a554b4dbb0aea066dee811060abb762be4c4376cd44eb1b9864c235db24e3e88192e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 15:42

Reported

2024-04-11 15:45

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

137s

Command Line

com.bfyjyhdj.fdmomgg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bfyjyhdj.fdmomgg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/tmp-base.apk.8mjqgfj7544831279995629098.tlp

MD5 a7a59c126916f86b13e9dc8615f40cee
SHA1 981c723a4144d2a98000f0fbc488e0634d29f17b
SHA256 290709bad1706a0b6ac4eb8485a23cc179b024c8374eb382e1967eb61745a9ed
SHA512 cca0a27f29ccff9d144ab159c0279d575c960d8396e9afc1955cc12c7e3bd697e262d62882d507cc056a56a4e51e4b00410a976a4b6be16db3da12da1c5d34f8

/data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp

MD5 e4cf0ee8c003cd2cecc1cc7067339607
SHA1 85a5ea50964141ed4c41fa49464302943b298e9c
SHA256 fd3055c36c8ae8968a7f3d16c482946716482ff3c8694ada62c48defd37f5551
SHA512 dda55b1fcee68de457a1d3144158cb8ab5ff3e23f11bbd95c528201351c00916af1daf7ccb648283ff63aef8ad955c84e9cdfeb109d8a5073e7bf9097e26883f

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/data/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 e75bc224182bbb2e9f5368f88aeebf6f
SHA1 38dffa9babaea6a871374b91e9eb06601e7b82b9
SHA256 c6fb72e1bc29f3f1c35bd25fd75e3e9581ae2635a5262576f1e7a7511aa80b20
SHA512 69261fcb4ff1f08f87cbd95fe98930b9f65bd380b467af71cca8843906e7a554b4dbb0aea066dee811060abb762be4c4376cd44eb1b9864c235db24e3e88192e

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-11 15:42

Reported

2024-04-11 15:45

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

152s

Command Line

com.bfyjyhdj.fdmomgg

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.bfyjyhdj.fdmomgg

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/tmp-base.apk.8mjqgfj8994946328436783335.tlp

MD5 a7a59c126916f86b13e9dc8615f40cee
SHA1 981c723a4144d2a98000f0fbc488e0634d29f17b
SHA256 290709bad1706a0b6ac4eb8485a23cc179b024c8374eb382e1967eb61745a9ed
SHA512 cca0a27f29ccff9d144ab159c0279d575c960d8396e9afc1955cc12c7e3bd697e262d62882d507cc056a56a4e51e4b00410a976a4b6be16db3da12da1c5d34f8

/data/user/0/com.bfyjyhdj.fdmomgg/ok8vhncfky/jiofydgdtjktbqx/base.apk.8mjqgfj1.tlp

MD5 e4cf0ee8c003cd2cecc1cc7067339607
SHA1 85a5ea50964141ed4c41fa49464302943b298e9c
SHA256 fd3055c36c8ae8968a7f3d16c482946716482ff3c8694ada62c48defd37f5551
SHA512 dda55b1fcee68de457a1d3144158cb8ab5ff3e23f11bbd95c528201351c00916af1daf7ccb648283ff63aef8ad955c84e9cdfeb109d8a5073e7bf9097e26883f

/data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/geoip

MD5 da86c56d98ea812ce6ab42691e4d1197
SHA1 e3c910f3b2a6c916c7be33a943091ef57048b72c
SHA256 9f65eab86508224b41cbf319314c070f33fdecb250d17247da83ab7b4d436159
SHA512 62095ef018a1e2664b380056141e54f224458727229b309f101b0961616a0e5feeaf8428b9b788df4a1408304a46f6d38bcaf9edda770dd6752251995ae49235

/data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/geoip6

MD5 18625900e4f9b58af0db8b4a621058df
SHA1 e8bd5b2e6554c27f718f1222667c09680d75f799
SHA256 296911c0f69a26b5fd65f4552f6a141d6cdbb5979f62b8b7db28e7b97e0698f5
SHA512 347006c25eeac5b5cccecd09dafe814cec569e4741c67d3a35dc47d605ef2110adbc0a4e689077c80216059a6a66454bfa525e3cb6fe5b03a781f1f3b8fac6c8

/data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 a5537c6e54c265bd4a318bdc057b604c
SHA1 00e834c03f908659e5beeb57a0828b22c2d09acc
SHA256 c0fbdadf36a2b1ef0b4287b66d3a94312915faf5f10b0861e494ea6c40b62c2e
SHA512 062a02b944e990ae4871b53e83fdf15322140f4c50df286488dc1c7ddad423708d4c4eeb97af7518c4bdb54547ee1188822cfacd4ca3ed7032961625a251cac9

/data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/tor

MD5 3ffe7e540a5be82f50eccd51dde09828
SHA1 e3d9711da7afed4bc89326d3bf80bbfcad7dc5cc
SHA256 805e8995ae913e691ff3e4b6a5fce1c7d11860940ace43a5187a1f548ddcb24b
SHA512 8679cb1df0f82a830e952d0e9628967839dc7a96c178c481dac96ab01c815dec107b4f1b22aa7481aa0071bff9c541d9cb559a0a7268782e3a75874fbbaba7cc

/data/user/0/com.bfyjyhdj.fdmomgg/app_torfiles/torrc

MD5 e75bc224182bbb2e9f5368f88aeebf6f
SHA1 38dffa9babaea6a871374b91e9eb06601e7b82b9
SHA256 c6fb72e1bc29f3f1c35bd25fd75e3e9581ae2635a5262576f1e7a7511aa80b20
SHA512 69261fcb4ff1f08f87cbd95fe98930b9f65bd380b467af71cca8843906e7a554b4dbb0aea066dee811060abb762be4c4376cd44eb1b9864c235db24e3e88192e