Malware Analysis Report

2024-10-19 12:04

Sample ID 240415-khvajaad82
Target f0ac2253137cf4ce3fbb220d9c0388e3_JaffaCakes118
SHA256 9eb68d1213d226b439a87a74b3c5fe3705b2c49afeb0d09f048c26940bb0c9d9
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eb68d1213d226b439a87a74b3c5fe3705b2c49afeb0d09f048c26940bb0c9d9

Threat Level: Known bad

The file f0ac2253137cf4ce3fbb220d9c0388e3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 08:36

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 08:36

Reported

2024-04-15 08:39

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

131s

Command Line

com.flxfawyx.ygdonhv

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.flxfawyx.ygdonhv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/tmp-base.apk.classes6031891013500599414.zip

MD5 93b445c41c1a97da174939c265c56409
SHA1 c67aabadadf2c1f83facd885ffecb69b4255bb71
SHA256 c1897991617b6b0d299294fc9aee7df2573930ff921586343737f294b9926e98
SHA512 7325fa7564473de9392657ddb9621eb9dd1f51b9b4436da447f9f4be62a443572115ff1f692db1e430dfe521f157b4b4c6c88ea4e2fddd900df44f40a446d52f

/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 8f15d2934b58d2a814aad37ca46e70dc
SHA1 eb80dcb5498b6e1b1c97bd13febfa45a7f726122
SHA256 5e60fd517dda5a6d8a79e5600fb4d407efceb2c9933cb4a4bfe3c61104945fe8
SHA512 0c6f8d34d493b3711ee8abc4c68c34949c7c7f2ea25a67c5de261f5aa16107b19e7406c0609b60635d8f03be621362f253c4ebd7575f38b738ffcfbbe44a70c2

/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6ab986fa55c4359806f8cebf827a471d
SHA1 ccd556295e6479cd061e4725e7dbfa4a8387a28a
SHA256 7a202ba1bc18daed73ad599f9283aadef36b00b8475bce94da121757e232ed95
SHA512 3eac3a8bfa7ecbddc0b67ee1b4fbe05fc6c35b3ee10fbaffa27328ba3dd1dd3edd7f02de40e796f1e24e4480a7a8f080ba47e4e8cb1c670fccc43ea4c50470fe

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 08:36

Reported

2024-04-15 08:39

Platform

android-x64-20240221-en

Max time kernel

154s

Max time network

135s

Command Line

com.flxfawyx.ygdonhv

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.flxfawyx.ygdonhv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/tmp-base.apk.classes8984814001828884164.zip

MD5 93b445c41c1a97da174939c265c56409
SHA1 c67aabadadf2c1f83facd885ffecb69b4255bb71
SHA256 c1897991617b6b0d299294fc9aee7df2573930ff921586343737f294b9926e98
SHA512 7325fa7564473de9392657ddb9621eb9dd1f51b9b4436da447f9f4be62a443572115ff1f692db1e430dfe521f157b4b4c6c88ea4e2fddd900df44f40a446d52f

/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 8f15d2934b58d2a814aad37ca46e70dc
SHA1 eb80dcb5498b6e1b1c97bd13febfa45a7f726122
SHA256 5e60fd517dda5a6d8a79e5600fb4d407efceb2c9933cb4a4bfe3c61104945fe8
SHA512 0c6f8d34d493b3711ee8abc4c68c34949c7c7f2ea25a67c5de261f5aa16107b19e7406c0609b60635d8f03be621362f253c4ebd7575f38b738ffcfbbe44a70c2

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 08:36

Reported

2024-04-15 08:39

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

com.flxfawyx.ygdonhv

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.flxfawyx.ygdonhv

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/tmp-base.apk.classes7459119532791208587.zip

MD5 93b445c41c1a97da174939c265c56409
SHA1 c67aabadadf2c1f83facd885ffecb69b4255bb71
SHA256 c1897991617b6b0d299294fc9aee7df2573930ff921586343737f294b9926e98
SHA512 7325fa7564473de9392657ddb9621eb9dd1f51b9b4436da447f9f4be62a443572115ff1f692db1e430dfe521f157b4b4c6c88ea4e2fddd900df44f40a446d52f

/data/user/0/com.flxfawyx.ygdonhv/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 8f15d2934b58d2a814aad37ca46e70dc
SHA1 eb80dcb5498b6e1b1c97bd13febfa45a7f726122
SHA256 5e60fd517dda5a6d8a79e5600fb4d407efceb2c9933cb4a4bfe3c61104945fe8
SHA512 0c6f8d34d493b3711ee8abc4c68c34949c7c7f2ea25a67c5de261f5aa16107b19e7406c0609b60635d8f03be621362f253c4ebd7575f38b738ffcfbbe44a70c2