Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    178s
  • max time network
    134s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    28/07/2024, 01:03 UTC

General

  • Target

    0463719b17d6d11d364aefe067669468_JaffaCakes118.apk

  • Size

    4.7MB

  • MD5

    0463719b17d6d11d364aefe067669468

  • SHA1

    e7dc170ecb885081a95c9ca6940bbb2b8c6d2ae9

  • SHA256

    afe9d5ea1d5b43b83c35ec40464a1dbe05ffeb563c059cba0b8e153a90d87e08

  • SHA512

    b97a43174028b3ded889f0f3c77947b847da2a45d81a8fd03b4057c7e1f3c3de91488c3c85beb99ecdca55ed55669e6418d05cc1b653676cd4a1afd1660aa8f7

  • SSDEEP

    98304:38iFw0+DXKG6sgZOkLQphj3vmw+v+wzQNqttVbvqZKfGgp4JI:3B+7KG6Z4hrRe+wzhFbS4f4O

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

  • Hydra payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    PID:4450

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: 26a1b1020753576f
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Sun, 28 Jul 2024 01:03:58 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 311
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    gist.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    gist.githubusercontent.com
    IN A
    Response
    gist.githubusercontent.com
    IN A
    185.199.111.133
    gist.githubusercontent.com
    IN A
    185.199.109.133
    gist.githubusercontent.com
    IN A
    185.199.108.133
    gist.githubusercontent.com
    IN A
    185.199.110.133
  • flag-us
    GET
    https://gist.githubusercontent.com/freel4nc3r/c10c58f61cd0a4e1ad5e1b7a3c31fb77/raw/gistfile1.json
    Remote address:
    185.199.111.133:443
    Request
    GET /freel4nc3r/c10c58f61cd0a4e1ad5e1b7a3c31fb77/raw/gistfile1.json HTTP/1.1
    Authorization: 26a1b1020753576f
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: gist.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 31D2:1F6895:DC4B2:11AE32:66A598FF
    Accept-Ranges: bytes
    Date: Sun, 28 Jul 2024 01:03:59 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lcy-eglc8600035-LCY
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1722128639.045704,VS0,VE125
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: f45e7e30c1581509eb252fea9e8be6d3a70b244a
    Expires: Sun, 28 Jul 2024 01:08:59 GMT
    Source-Age: 0
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    216.58.204.72
  • 172.217.16.238:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    5.6kB
    8.7kB
    24
    24
  • 142.250.178.14:443
    android.apis.google.com
    tls
    1.8kB
    5.8kB
    11
    11
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    452 B
    660 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 185.199.111.133:443
    https://gist.githubusercontent.com/freel4nc3r/c10c58f61cd0a4e1ad5e1b7a3c31fb77/raw/gistfile1.json
    tls, http
    1.6kB
    5.9kB
    13
    13

    HTTP Request

    GET https://gist.githubusercontent.com/freel4nc3r/c10c58f61cd0a4e1ad5e1b7a3c31fb77/raw/gistfile1.json

    HTTP Response

    404
  • 216.58.204.72:443
    ssl.google-analytics.com
    tls
    1.3kB
    5.9kB
    8
    9
  • 142.250.187.196:443
    tls, https
    847 B
    40 B
    2
    1
  • 142.250.187.196:443
    www.google.com
    tls
    11.2kB
    12.8kB
    31
    42
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    gist.githubusercontent.com
    dns
    72 B
    136 B
    1
    1

    DNS Request

    gist.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.109.133
    185.199.108.133
    185.199.110.133

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    216.58.204.72

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

    Filesize

    2.9MB

    MD5

    0cb066c7a2a1249ee30d8b90b238402a

    SHA1

    5cbb73cd307d5c0ee7103fdd999bad8a46ee7bd0

    SHA256

    2f6bd86c2b5b099e103dd4bce68a6381168252c2cc79877f6f98bc22c9ca452e

    SHA512

    0f322b15d2118a5956dee6996c8eeeba704595e04de3f7196a3f64f2204cb430f257bb0c46242d16e9d9a6b6cf3e36888849707bbceb89fe25f9269ee677eda5

  • /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

    Filesize

    2.9MB

    MD5

    af3ef3631ec1dfc409b5b6386931ea4a

    SHA1

    98bbfc27653cbef6dd710ca9bcb3d99c4f650993

    SHA256

    9016b8bd33393af5e6ae56386513afa0f67f6a664ad5f9f121895a76af963e80

    SHA512

    3af0794561a7bbd07629c3a59c3205465e7c74d90f352fd1f5eb259ac32f13111f9cef80960348ba11b705f75c0cdcc91edc80a83b46df19e2398c526a409e7a

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.