Malware Analysis Report

2024-10-19 12:04

Sample ID 240416-d4lrysac5z
Target f2979157677fc7d394eebf9274546651_JaffaCakes118
SHA256 a8c9c4f38f72cf8cd3cd819936f1c1ea9670541ded180327f7b096a3370f2186
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8c9c4f38f72cf8cd3cd819936f1c1ea9670541ded180327f7b096a3370f2186

Threat Level: Known bad

The file f2979157677fc7d394eebf9274546651_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 03:33

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-16 03:33

Reported

2024-04-16 03:36

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

com.orkpykqr.voqdvnd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.orkpykqr.voqdvnd

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/tmp-base.apk.classes2970096053183627495.zip

MD5 5c93601a15b02a435d3f7f7deaf846a8
SHA1 ef48c690448a842a0d85245359366233173b96f6
SHA256 7acf0e6b67851e50ceb9e3211ed336cf3bcd6dd70655f82aa4b0dc9181c00de6
SHA512 7e8887ac9db1801b636a2a81a72e55b45e5d4e4e21b77b393027961060ebe413e28e62d0aafcdfd714da690a28503538ddf1383dff0ce327d9f3043d423ef0cb

/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 c8828addadb43ee1b07e4a83a414eeb9
SHA1 cdc3541d41fb5ec96e2a40d4c59d5b8bc8d8f3fa
SHA256 3d03749fe7386b7a668f17b0997caba8637e780fa1b1eeefc6f9faf9592545bc
SHA512 a30f057d86ed3893336c5aae922fcd50789619c52052d49b046c6e3b81158e3205daf79238f743c31a0adc242a02b9a5965bf5a95e4e932c0e61d2f94ef9a7bd

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 03:33

Reported

2024-04-16 03:36

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

131s

Command Line

com.orkpykqr.voqdvnd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.orkpykqr.voqdvnd

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/tmp-base.apk.classes2841202306447690660.zip

MD5 5c93601a15b02a435d3f7f7deaf846a8
SHA1 ef48c690448a842a0d85245359366233173b96f6
SHA256 7acf0e6b67851e50ceb9e3211ed336cf3bcd6dd70655f82aa4b0dc9181c00de6
SHA512 7e8887ac9db1801b636a2a81a72e55b45e5d4e4e21b77b393027961060ebe413e28e62d0aafcdfd714da690a28503538ddf1383dff0ce327d9f3043d423ef0cb

/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 c8828addadb43ee1b07e4a83a414eeb9
SHA1 cdc3541d41fb5ec96e2a40d4c59d5b8bc8d8f3fa
SHA256 3d03749fe7386b7a668f17b0997caba8637e780fa1b1eeefc6f9faf9592545bc
SHA512 a30f057d86ed3893336c5aae922fcd50789619c52052d49b046c6e3b81158e3205daf79238f743c31a0adc242a02b9a5965bf5a95e4e932c0e61d2f94ef9a7bd

/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d5c02ddb9be8d789c23deb87af65f46c
SHA1 0529ff695af1a475067172e2a9733ff96dca7b75
SHA256 354d35e6dd7266c360f34526560f528c0788e5cd40e48e159f5936b8bf9fa954
SHA512 a8290275213f7977394c25bfec8fb65591651ef9e7e6a857fb10fa38924cc570f515a1c51f8cfe4865ba93f7f2f19be46e614788560bcdadd4f88553937cf67b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 03:33

Reported

2024-04-16 03:36

Platform

android-x64-20240221-en

Max time kernel

149s

Max time network

158s

Command Line

com.orkpykqr.voqdvnd

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.orkpykqr.voqdvnd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/tmp-base.apk.classes5042310921733558106.zip

MD5 5c93601a15b02a435d3f7f7deaf846a8
SHA1 ef48c690448a842a0d85245359366233173b96f6
SHA256 7acf0e6b67851e50ceb9e3211ed336cf3bcd6dd70655f82aa4b0dc9181c00de6
SHA512 7e8887ac9db1801b636a2a81a72e55b45e5d4e4e21b77b393027961060ebe413e28e62d0aafcdfd714da690a28503538ddf1383dff0ce327d9f3043d423ef0cb

/data/user/0/com.orkpykqr.voqdvnd/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 c8828addadb43ee1b07e4a83a414eeb9
SHA1 cdc3541d41fb5ec96e2a40d4c59d5b8bc8d8f3fa
SHA256 3d03749fe7386b7a668f17b0997caba8637e780fa1b1eeefc6f9faf9592545bc
SHA512 a30f057d86ed3893336c5aae922fcd50789619c52052d49b046c6e3b81158e3205daf79238f743c31a0adc242a02b9a5965bf5a95e4e932c0e61d2f94ef9a7bd