Malware Analysis Report

2025-01-19 05:26

Sample ID 241204-vdt43sxjdr
Target c37ae32cd4bcce93797535082e2080a2_JaffaCakes118
SHA256 2b305310db25d5ac714d4e5df898fa336e0bb3b86039b42ea37762f00956b3ff
Tags
hydra banker collection credential_access discovery evasion infostealer trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b305310db25d5ac714d4e5df898fa336e0bb3b86039b42ea37762f00956b3ff

Threat Level: Known bad

The file c37ae32cd4bcce93797535082e2080a2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer trojan persistence

Hydra family

Hydra

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Looks up external IP address via web service

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 16:52

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 16:52

Reported

2024-12-04 16:55

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.wefccxit.cbhxpgr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.wefccxit.cbhxpgr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/tmp-base.apk.classes2840182326076045177.zip

MD5 051babff27f407292fe1d8a5976780aa
SHA1 02f1814a3654684e0bf82abdd5275e1dadb2e3a1
SHA256 47cc42df8062022f5576169758085ba166008827cd08a063cd4f6ecd63f6fbf8
SHA512 e4e452d30ac6cf215bc2ca157f150547d684d49d27ceda9293387adc420441aac3d3e0a10efe25870328e705a14d7ce55df797c941e694a68194faecea6dcbf9

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 bfdaf3784d3f7487759eaaed9042907a
SHA1 84778b47fb7d80253785530b3aaef4a11ddcb8c6
SHA256 1eaaf545b99745477d09f03b96a043b885a742c7d850136117337054b9673e2a
SHA512 7fba3a01105a55510457e9910af3b7368b36551d1474914e8bc88e39504cfb2fd8ff7ef42c6fc0762aba9cf8bfec3ddf82ef01bc62d7b029a8114f2f4117b646

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 16:52

Reported

2024-12-04 16:55

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

130s

Command Line

com.wefccxit.cbhxpgr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wefccxit.cbhxpgr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/tmp-base.apk.classes8640335146586565678.zip

MD5 051babff27f407292fe1d8a5976780aa
SHA1 02f1814a3654684e0bf82abdd5275e1dadb2e3a1
SHA256 47cc42df8062022f5576169758085ba166008827cd08a063cd4f6ecd63f6fbf8
SHA512 e4e452d30ac6cf215bc2ca157f150547d684d49d27ceda9293387adc420441aac3d3e0a10efe25870328e705a14d7ce55df797c941e694a68194faecea6dcbf9

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 bfdaf3784d3f7487759eaaed9042907a
SHA1 84778b47fb7d80253785530b3aaef4a11ddcb8c6
SHA256 1eaaf545b99745477d09f03b96a043b885a742c7d850136117337054b9673e2a
SHA512 7fba3a01105a55510457e9910af3b7368b36551d1474914e8bc88e39504cfb2fd8ff7ef42c6fc0762aba9cf8bfec3ddf82ef01bc62d7b029a8114f2f4117b646

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 99233baebd321ed414d4b9090cad2397
SHA1 9d3c3abd8a28fe529fc2fc455f7cb5ca4e9d9f3e
SHA256 ff4cecdda8c5b9279c871374c6c948af44020bee6c5714b8556ebf9567d9059b
SHA512 1ce626e20474f29038aa5b77702fe222fb84e2285672797534ef1778797961d35ed6dba6b0aac9d6a61ce29ea346831d9ff7f79bf9038cf6f1e08e658cb1dc90

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 16:52

Reported

2024-12-04 16:55

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

138s

Command Line

com.wefccxit.cbhxpgr

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wefccxit.cbhxpgr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.109.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/tmp-base.apk.classes8651902537693289166.zip

MD5 051babff27f407292fe1d8a5976780aa
SHA1 02f1814a3654684e0bf82abdd5275e1dadb2e3a1
SHA256 47cc42df8062022f5576169758085ba166008827cd08a063cd4f6ecd63f6fbf8
SHA512 e4e452d30ac6cf215bc2ca157f150547d684d49d27ceda9293387adc420441aac3d3e0a10efe25870328e705a14d7ce55df797c941e694a68194faecea6dcbf9

/data/user/0/com.wefccxit.cbhxpgr/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 bfdaf3784d3f7487759eaaed9042907a
SHA1 84778b47fb7d80253785530b3aaef4a11ddcb8c6
SHA256 1eaaf545b99745477d09f03b96a043b885a742c7d850136117337054b9673e2a
SHA512 7fba3a01105a55510457e9910af3b7368b36551d1474914e8bc88e39504cfb2fd8ff7ef42c6fc0762aba9cf8bfec3ddf82ef01bc62d7b029a8114f2f4117b646