Malware Analysis Report

2024-10-19 12:04

Sample ID 240418-fv7zyaca79
Target f754fdb148454e2aaeac021374e7cd03_JaffaCakes118
SHA256 1101d16bdbd021d03cec94ac05abce0498ea5766923ac060caf6fa5d95ba98ca
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1101d16bdbd021d03cec94ac05abce0498ea5766923ac060caf6fa5d95ba98ca

Threat Level: Known bad

The file f754fdb148454e2aaeac021374e7cd03_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Looks up external IP address via web service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 05:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 05:12

Reported

2024-04-18 05:15

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

138s

Command Line

com.mnjgllsx.thwzxxs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mnjgllsx.thwzxxs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/tmp-base.apk.classes7258752492429199278.zip

MD5 a194c01b0f489e2d5d0852df137ef5a3
SHA1 c831f079afd7b663e9028757b432ce641b1eb5da
SHA256 d20457a00e796956f5fc6ae7629b31f573af8b301f2291d23c5da5377664089d
SHA512 4c9cde46f142d0a12a2f69c645f734d1069f946d4ced563122c5cebaf1ac60121039124fa7b23731a7ae9de6c6c24d6071c424a4215c213cc38dd3f55f9af3e7

/data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a61e3eeb358109c5524437c12145ae24
SHA1 8171bbcc8e2286bee417af43850d0acc7344af91
SHA256 441ceca064bfaf4dbc3640b69c692b4930b9ef7fc6ccc91abbd04a30468c27e7
SHA512 ea2ce8a0c0f188a33cca84ee4f6ef2c9c810bf2b91efdefce9302cf5b04eaab513682bd45412cafc9f82c299cbd28acba5d74cb9c6f2820d8051315d3d2a8cdd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 05:12

Reported

2024-04-18 05:15

Platform

android-x64-20240221-en

Max time kernel

154s

Max time network

135s

Command Line

com.mnjgllsx.thwzxxs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mnjgllsx.thwzxxs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/tmp-base.apk.classes669931285701066863.zip

MD5 a194c01b0f489e2d5d0852df137ef5a3
SHA1 c831f079afd7b663e9028757b432ce641b1eb5da
SHA256 d20457a00e796956f5fc6ae7629b31f573af8b301f2291d23c5da5377664089d
SHA512 4c9cde46f142d0a12a2f69c645f734d1069f946d4ced563122c5cebaf1ac60121039124fa7b23731a7ae9de6c6c24d6071c424a4215c213cc38dd3f55f9af3e7

/data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a61e3eeb358109c5524437c12145ae24
SHA1 8171bbcc8e2286bee417af43850d0acc7344af91
SHA256 441ceca064bfaf4dbc3640b69c692b4930b9ef7fc6ccc91abbd04a30468c27e7
SHA512 ea2ce8a0c0f188a33cca84ee4f6ef2c9c810bf2b91efdefce9302cf5b04eaab513682bd45412cafc9f82c299cbd28acba5d74cb9c6f2820d8051315d3d2a8cdd

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-18 05:12

Reported

2024-04-18 05:15

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

com.mnjgllsx.thwzxxs

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.mnjgllsx.thwzxxs

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/tmp-base.apk.classes9044785725609575895.zip

MD5 a194c01b0f489e2d5d0852df137ef5a3
SHA1 c831f079afd7b663e9028757b432ce641b1eb5da
SHA256 d20457a00e796956f5fc6ae7629b31f573af8b301f2291d23c5da5377664089d
SHA512 4c9cde46f142d0a12a2f69c645f734d1069f946d4ced563122c5cebaf1ac60121039124fa7b23731a7ae9de6c6c24d6071c424a4215c213cc38dd3f55f9af3e7

/data/user/0/com.mnjgllsx.thwzxxs/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a61e3eeb358109c5524437c12145ae24
SHA1 8171bbcc8e2286bee417af43850d0acc7344af91
SHA256 441ceca064bfaf4dbc3640b69c692b4930b9ef7fc6ccc91abbd04a30468c27e7
SHA512 ea2ce8a0c0f188a33cca84ee4f6ef2c9c810bf2b91efdefce9302cf5b04eaab513682bd45412cafc9f82c299cbd28acba5d74cb9c6f2820d8051315d3d2a8cdd