Malware Analysis Report

2024-10-19 12:04

Sample ID 240418-mbcs1sbd9z
Target f7c9818a25d2bbcbbf464ad5cd4da13c_JaffaCakes118
SHA256 1437e111cfc3d76f3397bafc21a4ec81ad08d592ade86645fbbe552f61d7cfbd
Tags
hydra banker collection discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1437e111cfc3d76f3397bafc21a4ec81ad08d592ade86645fbbe552f61d7cfbd

Threat Level: Known bad

The file f7c9818a25d2bbcbbf464ad5cd4da13c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection discovery evasion infostealer trojan

Hydra

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 10:17

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:19

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

com.llldjydh.tpolrlz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.llldjydh.tpolrlz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.llldjydh.tpolrlz/code_cache/secondary-dexes/tmp-base.apk.classes5015005782405692700.zip

MD5 a4a3588d014de7ba37b239e049c77285
SHA1 00c31b7ad4a8848fc258d52e15e333656cbcc228
SHA256 07bbc2aaba4b2a0c95cb7e90044fd515a78fc96d678d807034eff94630eeee06
SHA512 e0fc44be247555b1d396d73d28073587221af415b2957039e337057b969cc911593956ab80175dd55f614cafc79df7faaef22a99a8852559c83991434e71bb1c

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 f63966c50ea4eed0d2ad9183b842efdd
SHA1 ff3787b8a1e285482c8f154e05c4a2b696fabb2d
SHA256 0f2017b7f0b8a662df4725742be504af37e4a9bdfe4e7abdea5f7fed5bd671ac
SHA512 c03246eb2f8d5c73fe05dd3dba966429ac96470e825bff0bc8897490aba26530fad876e78d892166d08daf8c359629272059c8b829a453a60a1ecd4605e3066f

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 0c8806dacc9e6c7467c8e4c23cebbc17
SHA1 053330daf73f696d5d2042bc5946bc7e9113c670
SHA256 9f0b91a98e4a5f9b07ba2d6bfc19baa557667e76dc6442c22ef3fad76849dfec
SHA512 c87c0cae709bfa591212445465991d5f71cc55e5e8a1d2bbf07e5e7284a2dfcc5fb66532f6d12f81f70abaf5492bacdc0f1171cb0a3cbb2560689a294d4fb42b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:19

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

143s

Command Line

com.llldjydh.tpolrlz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.llldjydh.tpolrlz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip-api.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/com.llldjydh.tpolrlz/code_cache/secondary-dexes/tmp-base.apk.classes4991936825748555765.zip

MD5 a4a3588d014de7ba37b239e049c77285
SHA1 00c31b7ad4a8848fc258d52e15e333656cbcc228
SHA256 07bbc2aaba4b2a0c95cb7e90044fd515a78fc96d678d807034eff94630eeee06
SHA512 e0fc44be247555b1d396d73d28073587221af415b2957039e337057b969cc911593956ab80175dd55f614cafc79df7faaef22a99a8852559c83991434e71bb1c

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 f63966c50ea4eed0d2ad9183b842efdd
SHA1 ff3787b8a1e285482c8f154e05c4a2b696fabb2d
SHA256 0f2017b7f0b8a662df4725742be504af37e4a9bdfe4e7abdea5f7fed5bd671ac
SHA512 c03246eb2f8d5c73fe05dd3dba966429ac96470e825bff0bc8897490aba26530fad876e78d892166d08daf8c359629272059c8b829a453a60a1ecd4605e3066f

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:19

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

com.llldjydh.tpolrlz

Signatures

Hydra

banker trojan infostealer hydra

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Reads information about phone network operator.

discovery

Processes

com.llldjydh.tpolrlz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/tmp-base.apk.classes1911640939968267407.zip

MD5 a4a3588d014de7ba37b239e049c77285
SHA1 00c31b7ad4a8848fc258d52e15e333656cbcc228
SHA256 07bbc2aaba4b2a0c95cb7e90044fd515a78fc96d678d807034eff94630eeee06
SHA512 e0fc44be247555b1d396d73d28073587221af415b2957039e337057b969cc911593956ab80175dd55f614cafc79df7faaef22a99a8852559c83991434e71bb1c

/data/user/0/com.llldjydh.tpolrlz/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 f63966c50ea4eed0d2ad9183b842efdd
SHA1 ff3787b8a1e285482c8f154e05c4a2b696fabb2d
SHA256 0f2017b7f0b8a662df4725742be504af37e4a9bdfe4e7abdea5f7fed5bd671ac
SHA512 c03246eb2f8d5c73fe05dd3dba966429ac96470e825bff0bc8897490aba26530fad876e78d892166d08daf8c359629272059c8b829a453a60a1ecd4605e3066f

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:17

Platform

android-x86-arm-20240221-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:17

Platform

android-x64-20240221-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-18 10:17

Reported

2024-04-18 10:17

Platform

android-x64-arm64-20240221-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A