Malware Analysis Report

2024-10-19 12:04

Sample ID 240728-beqcqssane
Target 0463719b17d6d11d364aefe067669468_JaffaCakes118
SHA256 afe9d5ea1d5b43b83c35ec40464a1dbe05ffeb563c059cba0b8e153a90d87e08
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afe9d5ea1d5b43b83c35ec40464a1dbe05ffeb563c059cba0b8e153a90d87e08

Threat Level: Known bad

The file 0463719b17d6d11d364aefe067669468_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 01:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 01:03

Reported

2024-07-28 01:06

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

131s

Command Line

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/oat/x86/yWmxt.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 0cb066c7a2a1249ee30d8b90b238402a
SHA1 5cbb73cd307d5c0ee7103fdd999bad8a46ee7bd0
SHA256 2f6bd86c2b5b099e103dd4bce68a6381168252c2cc79877f6f98bc22c9ca452e
SHA512 0f322b15d2118a5956dee6996c8eeeba704595e04de3f7196a3f64f2204cb430f257bb0c46242d16e9d9a6b6cf3e36888849707bbceb89fe25f9269ee677eda5

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 af3ef3631ec1dfc409b5b6386931ea4a
SHA1 98bbfc27653cbef6dd710ca9bcb3d99c4f650993
SHA256 9016b8bd33393af5e6ae56386513afa0f67f6a664ad5f9f121895a76af963e80
SHA512 3af0794561a7bbd07629c3a59c3205465e7c74d90f352fd1f5eb259ac32f13111f9cef80960348ba11b705f75c0cdcc91edc80a83b46df19e2398c526a409e7a

/data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 318f448d9dae827d475c6347a8e34a54
SHA1 fc9639e79e4470bb492cab565c8e54e9f5accbe6
SHA256 5593acd8257991c66f847229c58252c189e614b2f593f97640d870a19080988d
SHA512 dfa5c9855dffe3b3b7321fe0f82234d883f33ad1067881b42419c6fed88b91c36e72a697bca8e82246a1202084cfa1c0455bf0402cda7eaf504c41c05ca12b0f

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/oat/yWmxt.json.cur.prof

MD5 41156a29a9b3ff50a9c06b0369558498
SHA1 2e72c80abbe517cc29609de4b18f2fd8b12e75b4
SHA256 40e05f9dafb3e9ae2ca546758a8d74536aeee4245f6ae986ca3f176f235e6864
SHA512 d4b0492672c1d27f8970b3aad7dd051f47d5008f66691b051f7fefb7d4946dea6ec2ab5484edfbb8416c7814bf8458bc6d61ba20d193104bc5f939fa868c9891

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 01:03

Reported

2024-07-28 01:06

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

137s

Command Line

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 0cb066c7a2a1249ee30d8b90b238402a
SHA1 5cbb73cd307d5c0ee7103fdd999bad8a46ee7bd0
SHA256 2f6bd86c2b5b099e103dd4bce68a6381168252c2cc79877f6f98bc22c9ca452e
SHA512 0f322b15d2118a5956dee6996c8eeeba704595e04de3f7196a3f64f2204cb430f257bb0c46242d16e9d9a6b6cf3e36888849707bbceb89fe25f9269ee677eda5

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 af3ef3631ec1dfc409b5b6386931ea4a
SHA1 98bbfc27653cbef6dd710ca9bcb3d99c4f650993
SHA256 9016b8bd33393af5e6ae56386513afa0f67f6a664ad5f9f121895a76af963e80
SHA512 3af0794561a7bbd07629c3a59c3205465e7c74d90f352fd1f5eb259ac32f13111f9cef80960348ba11b705f75c0cdcc91edc80a83b46df19e2398c526a409e7a

/data/data/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/oat/yWmxt.json.cur.prof

MD5 b37f3534a30ae1b5d30c4b1c906735c7
SHA1 6fa5243ff9a3f4003a3fe5f25ad77c5fa2f9c62c
SHA256 161bb2e897e7f3fb2c5c33314a34d4545cee7e0fbe1fbc318421674e9d16e5fb
SHA512 31b060abfd5483dc55b6039b0bf033ccbea2b1b2c64b2d2df2116959dc76c229ad730e06b02b28898d9669660ddb641c25d3de21ad4d06e4b13a51d4b5514259

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 01:03

Reported

2024-07-28 01:06

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

134s

Command Line

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A
N/A /data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 0cb066c7a2a1249ee30d8b90b238402a
SHA1 5cbb73cd307d5c0ee7103fdd999bad8a46ee7bd0
SHA256 2f6bd86c2b5b099e103dd4bce68a6381168252c2cc79877f6f98bc22c9ca452e
SHA512 0f322b15d2118a5956dee6996c8eeeba704595e04de3f7196a3f64f2204cb430f257bb0c46242d16e9d9a6b6cf3e36888849707bbceb89fe25f9269ee677eda5

/data/user/0/cxu.smnlgnhuqdihggdl.oxynkjgraxubptjtmitri/app_DynamicOptDex/yWmxt.json

MD5 af3ef3631ec1dfc409b5b6386931ea4a
SHA1 98bbfc27653cbef6dd710ca9bcb3d99c4f650993
SHA256 9016b8bd33393af5e6ae56386513afa0f67f6a664ad5f9f121895a76af963e80
SHA512 3af0794561a7bbd07629c3a59c3205465e7c74d90f352fd1f5eb259ac32f13111f9cef80960348ba11b705f75c0cdcc91edc80a83b46df19e2398c526a409e7a