Malware Analysis Report

2024-10-19 12:04

Sample ID 240728-bg171ssckf
Target 04740989c14ab33a2ff2696db96d0c1f_JaffaCakes118
SHA256 5cb252c70a223901b3005816ddd87a0e7e67f32bb44af63cb6dc1482f9bcd577
Tags
hydra banker collection credential_access discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cb252c70a223901b3005816ddd87a0e7e67f32bb44af63cb6dc1482f9bcd577

Threat Level: Known bad

The file 04740989c14ab33a2ff2696db96d0c1f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer persistence trojan

Hydra

Hydra payload

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Looks up external IP address via web service

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 01:07

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 01:07

Reported

2024-07-28 01:10

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

132s

Command Line

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/oat/x86/TD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 f010ee9359c9f821774826bf6bc7455a
SHA1 bdff7af978ec5e7bde75e2bcd7ee61d7796d26fc
SHA256 563ddf7dc401b739398eb480663a0ca44c7592b189e51fe82539349ef1670f98
SHA512 7c4977760e5829b572d93cf4906bc86daabaa2f2f2d54b1fd83cd2eadb71b2087c8ce12c2de795ef2b8f8f38790b8b8a723d1f9e7487cbd9e104974e054c0f14

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 bd8a27efbb8d2a97b998e3203f746088
SHA1 ac6748fd08597745f5fba12dba7d34aac2885f30
SHA256 cb624aaa4569cdffc9f9706638a90d33a6bb180ad31cb7a9a5f238ca99e32919
SHA512 74ebcceda9519767dca9dc84e3d98861816c2cdbf399dcf1cecb34cc1814d615e5341bf5cd66d07a1c9d104790c1bd594452c6449970c9a6f7c0c51124593da4

/data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 c0fe969dcfe2a5283297a9a42eca43ee
SHA1 b04d2ae45af469b87753ec0c4e29bcc4a9e47796
SHA256 0ca14ee40198a3538d3132fb585555ac1c2ee062dd1a019406f0cab0a845871d
SHA512 2d21e2342aa61c236868a7da3f1a073d59b4d6228c578fb5b600aae2fdc2a4da80fcdf5d8baa404f0411fc6ce0b5c73b731a192944cd918e96c5795778253caf

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/oat/TD.json.cur.prof

MD5 48bdad666ed02b06db410c1786f323da
SHA1 df164ad79b297e42aa9b738c5cf9eb110dc18e57
SHA256 a0bafdc846af871177b1836725a1ff95975539c26eecea1e4b2f0b62185f08d4
SHA512 192ca977845f7a31f341df884c44da74fcdf759e06f384c447f3a19b74cf6b3dce70841819bf636db613e211bfb1bf6d4ddac03eae65ca3eebdf9dd5be912983

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 01:07

Reported

2024-07-28 01:10

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

149s

Command Line

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 f010ee9359c9f821774826bf6bc7455a
SHA1 bdff7af978ec5e7bde75e2bcd7ee61d7796d26fc
SHA256 563ddf7dc401b739398eb480663a0ca44c7592b189e51fe82539349ef1670f98
SHA512 7c4977760e5829b572d93cf4906bc86daabaa2f2f2d54b1fd83cd2eadb71b2087c8ce12c2de795ef2b8f8f38790b8b8a723d1f9e7487cbd9e104974e054c0f14

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 bd8a27efbb8d2a97b998e3203f746088
SHA1 ac6748fd08597745f5fba12dba7d34aac2885f30
SHA256 cb624aaa4569cdffc9f9706638a90d33a6bb180ad31cb7a9a5f238ca99e32919
SHA512 74ebcceda9519767dca9dc84e3d98861816c2cdbf399dcf1cecb34cc1814d615e5341bf5cd66d07a1c9d104790c1bd594452c6449970c9a6f7c0c51124593da4

/data/data/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/oat/TD.json.cur.prof

MD5 26c4cf31d0d016104d427e89dd75e412
SHA1 271bd88765a72fb6a641f28f3f1a08bfd2a97728
SHA256 332ccf7429e97d82840d2062e9c71acc962672ecddb1fd48e68b02ed216fec95
SHA512 0fc3fc94635fd0be3b9e56f67da28f8b505c1038662177f938b7aa88eb2a74a955d82affdd21f21f27e3cbcdf887d2a56822a38fb8471430a69ef7a93306c833

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 01:07

Reported

2024-07-28 01:10

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

133s

Command Line

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

Signatures

Hydra

banker trojan infostealer hydra

Hydra payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A
N/A /data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 f010ee9359c9f821774826bf6bc7455a
SHA1 bdff7af978ec5e7bde75e2bcd7ee61d7796d26fc
SHA256 563ddf7dc401b739398eb480663a0ca44c7592b189e51fe82539349ef1670f98
SHA512 7c4977760e5829b572d93cf4906bc86daabaa2f2f2d54b1fd83cd2eadb71b2087c8ce12c2de795ef2b8f8f38790b8b8a723d1f9e7487cbd9e104974e054c0f14

/data/user/0/wjhtcnrkkar.lubuxqtnmzucraly.xasiafinjzlmxme/app_DynamicOptDex/TD.json

MD5 bd8a27efbb8d2a97b998e3203f746088
SHA1 ac6748fd08597745f5fba12dba7d34aac2885f30
SHA256 cb624aaa4569cdffc9f9706638a90d33a6bb180ad31cb7a9a5f238ca99e32919
SHA512 74ebcceda9519767dca9dc84e3d98861816c2cdbf399dcf1cecb34cc1814d615e5341bf5cd66d07a1c9d104790c1bd594452c6449970c9a6f7c0c51124593da4