Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

5f2a21c556...18.apk

android-9-x86

10

5f2a21c556...18.apk

android-10-x64

10

5f2a21c556...18.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19/10/2024, 23:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f2a21c5569b01486fb791784aff7005_JaffaCakes118.apk

  • Size

    3.1MB

  • MD5

    5f2a21c5569b01486fb791784aff7005

  • SHA1

    5c674b4543573ddc6008e9d013fbf5001fd3b923

  • SHA256

    9afaa372d732d9a920e8dc68ccc243a248f839f52dac33da41f69f2ba0941906

  • SHA512

    155a1b34bc78cd55fe4bb10dc8b5bafa65e23e6be4ee01a6139fc5bfb4b4ae9008fe2960b2ad4c5c9faa4ae4a8805c1e07edd790d745d5ede5ca766729ee653a

  • SSDEEP

    98304:ozQtjfDm3PO06zgBr3XlEY2P/nfyF3wBlAVI:oMhm/6z6T1EYWfyy

Score
10/10
hydrabankercollectioncredential_accessdiscoveryevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • Hydra

    Android banker and info stealer.

    bankertrojaninfostealerhydra
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.lxqbcgkl.uzkzdvx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lxqbcgkl.uzkzdvx/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.lxqbcgkl.uzkzdvx/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
  • flag-us
    DNS
    gist.githubusercontent.com
    Remote address:
    1.1.1.1:53
    Request
    gist.githubusercontent.com
    IN A
    Response
    gist.githubusercontent.com
    IN A
    185.199.109.133
    gist.githubusercontent.com
    IN A
    185.199.108.133
    gist.githubusercontent.com
    IN A
    185.199.110.133
    gist.githubusercontent.com
    IN A
    185.199.111.133
  • flag-us
    GET
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    Remote address:
    185.199.109.133:443
    Request
    GET /raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json HTTP/1.1
    Authorization: a5603291fa49429e
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: gist.githubusercontent.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 404 Not Found
    Connection: keep-alive
    Content-Length: 14
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    Content-Type: text/plain; charset=utf-8
    X-GitHub-Request-Id: 7816:373FFE:E1C5B:113C9D:67143CC9
    Accept-Ranges: bytes
    Date: Sat, 19 Oct 2024 23:12:09 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lon420140-LON
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1729379529.156204,VS0,VE102
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    Cross-Origin-Resource-Policy: cross-origin
    X-Fastly-Request-ID: 0515589535d9ca15129f2f9f7f564608ebd55048
    Expires: Sat, 19 Oct 2024 23:17:09 GMT
    Source-Age: 0
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Authorization: a5603291fa49429e
    Content-Type: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Sat, 19 Oct 2024 23:12:18 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 289
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • 185.199.109.133:443
    https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json
    tls, http
    1.2kB
     5.6kB
     10
    9

    HTTP Request

    GET https://gist.githubusercontent.com/raheemsterling444/ab254eca6a406ca073747b7b40e0c5fd/raw/helloworld.json

    HTTP Response

    404
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    451 B
     638 B
     5
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 142.250.187.206:443
    tls, https
    858 B
     40 B
     1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
     8.5kB
     14
    22
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     272 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.42
    216.58.201.106
    142.250.179.234
    142.250.178.10
    142.250.180.10
    216.58.204.74
    172.217.169.74
    142.250.187.234
    142.250.200.10
    142.250.187.202
    172.217.16.234
    216.58.212.202

  • 1.1.1.1:53
    gist.githubusercontent.com
    dns
    72 B
     136 B
     1
    1

    DNS Request

    gist.githubusercontent.com

    DNS Response

    185.199.109.133
    185.199.108.133
    185.199.110.133
    185.199.111.133

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lxqbcgkl.uzkzdvx/code_cache/secondary-dexes/tmp-base.apk.classes8740677427164440178.zip
    Filesize

    378KB

    MD5

    5c3f18fabc8a15521d28e2593cc9398a

    SHA1

    b645b9a66a492bc8ffab125c3b16ff0d8e3f27ee

    SHA256

    08278db78ac09ffbfe5d0c13f09055d32ce449fcf1e4a8de11c45586fbebb73b

    SHA512

    d521589acdc996ac546fe9065eeada58af775659712d9937a832025bad7582751817b7121b6a774625ffcba4c0a3cd9903fb67d3cdf88e9abefec34f39efcef7

    Download Submit

  • /data/user/0/com.lxqbcgkl.uzkzdvx/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    902KB

    MD5

    7195b1299806d409d6dd8e0218f5f0ae

    SHA1

    773ecdbf524f3f1d25b9150907318f79702c2db9

    SHA256

    669fb2a207c8c7cc76b19faa3516fccb689bd2f6fb730234aeef8b4fcdadde29

    SHA512

    294d0beb255bb0ee83ce00f6839b8f7a285c0c797661a9bf5fbd96dd4c4da69fff3f46cd712dcdcdf89b60d75c09c95ab44118b8fe72c1b17d9a2baba219b577

    Download Submit

  • /data/user/0/com.lxqbcgkl.uzkzdvx/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    902KB

    MD5

    70dea65e5b97b54ee38d507bc3832747

    SHA1

    8b5db2666a7c5317989c441e0819c988c76ad0ae

    SHA256

    6e8d99f6dfbb9b7eff88dea1a3ecbb1a71c0a15e80f345516f1f9071b9be1def

    SHA512

    cfa330cd7f8945fe78a477787e058d2cf50313e5af8a60aec735c2314e27c6c1cb275f0d5fb9c3fbe11d1aa8b2b25ed42c69ba5a3e3a17813436511750bccbb4

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.