Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    20-04-2024 03:14

General

  • Target

    fbce0fa1e53ef16d6ee54dab524dc638_JaffaCakes118.apk

  • Size

    2.3MB

  • MD5

    fbce0fa1e53ef16d6ee54dab524dc638

  • SHA1

    cc8f2b3fd8cb8bc3f8162f76aada315cf04af25e

  • SHA256

    340bfbd674dd9389b4c7148cf5ee004f641d0dc94753e1fe66acc98cd9ae525b

  • SHA512

    eb26bce41bddbe68959ed297ee4b75dacc1aa52de6c424088e852a3ea3c3ff10935e47b84abe8be1f0598b096b33c280b552c9afb8ac25820ef009427d90f000

  • SSDEEP

    49152:amikfiYdl5iD4PcZjyzW+fxN4msHghLVLuiG2E50Z1dtXvauye3Z9ISZ+4gUNOaY:agi45MqFW+fQmhfLuiG2EyfrXvQe3pyT

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads information about phone network operator. 1 TTPs

Processes

  • com.kqwujceu.dphptbo
    1⤵
    • Makes use of the framework's Accessibility service
    • Loads dropped Dex/Jar
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4191

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kqwujceu.dphptbo/code_cache/secondary-dexes/tmp-base.apk.classes8382375100953823377.zip

    Filesize

    378KB

    MD5

    5eb281ee2d87ef6272c471f66f4630cb

    SHA1

    07afaa24448be60a8b2be8984a4483a74c46e721

    SHA256

    e8ff132d9a70da07f72324da1782c0463484842bed60a83d13bca3533b46cb43

    SHA512

    9bf65ca548b4cfb157e2671be62b1ac4524a871938b8496d8afda890a0da8ec2bbc691bfb3689868d0ff2adca338ff133b3c043416253960158a4a29990994d3

  • /data/user/0/com.kqwujceu.dphptbo/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    902KB

    MD5

    9ac4740eeaeb38cc99d94b8634d1aac1

    SHA1

    dd3f338ae9437fcc22ccf38d026f49222c1c9b9e

    SHA256

    ed1275e3b1e3beec7ec5e348f08fdabde8cba1af9fc14d9feab4ae8bb6d4d167

    SHA512

    d4c21fca70b6de9e3545a792dd21ca0c63bc7cc67583a636f0a56e5238f66223f50b964ce5cd1d236f647f64aa36515c20c9197a96ecc98554e3b2d1c6e07387