Malware Analysis Report

2025-01-19 05:23

Sample ID 241206-x91b3szkbr
Target cea98484826ce63b72d6efce2f692273_JaffaCakes118
SHA256 c404340baa0e1322364c75898e7ffefcabb660bab01979c22ebd98a502bb2310
Tags
hydra banker collection credential_access discovery evasion infostealer trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c404340baa0e1322364c75898e7ffefcabb660bab01979c22ebd98a502bb2310

Threat Level: Known bad

The file cea98484826ce63b72d6efce2f692273_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hydra banker collection credential_access discovery evasion infostealer trojan persistence

Hydra

Hydra family

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

Looks up external IP address via web service

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 19:33

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 19:33

Reported

2024-12-06 19:36

Platform

android-x64-arm64-20240910-en

Max time kernel

147s

Max time network

151s

Command Line

com.qfbpgpng.xosjjkk

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Processes

com.qfbpgpng.xosjjkk

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 216.239.32.223:443 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/tmp-base.apk.classes4493062226287511860.zip

MD5 e561110f38c040bb42b9833135d483e7
SHA1 6fe8b80ec5454d89b8b222947b6fdd9b18df9648
SHA256 3a12930596e80981b68528e787b51ebfd86135d08825f03d4a954a8badbae766
SHA512 41e06731fd3081c01207cbe3f6e67c6baa2209cd39355743b28fba60b27c7c0e8dab23368854cbd848fbda46769d90ce67562d300dc5fa438afb775869f234c1

/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6d4c8d4b9b4cb486fb3dc301c70c9466
SHA1 ef4f85eb783d561719cbcac03bd0f2a57f9dd118
SHA256 fc85a4a2eb31593dfbbb5d379b6e0c8b91817c1c822078cffaf2718ed2bf6df1
SHA512 595d04999136900d9187f0b73cf1185fe2a64a4c989c2491f7100799b4ce98c43390aa1bf12c503f98f471177364c21240eee205e9ba7be3733742d5e907d146

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 19:33

Reported

2024-12-06 19:36

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.qfbpgpng.xosjjkk

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.qfbpgpng.xosjjkk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/tmp-base.apk.classes2119250013693706477.zip

MD5 e561110f38c040bb42b9833135d483e7
SHA1 6fe8b80ec5454d89b8b222947b6fdd9b18df9648
SHA256 3a12930596e80981b68528e787b51ebfd86135d08825f03d4a954a8badbae766
SHA512 41e06731fd3081c01207cbe3f6e67c6baa2209cd39355743b28fba60b27c7c0e8dab23368854cbd848fbda46769d90ce67562d300dc5fa438afb775869f234c1

/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6d4c8d4b9b4cb486fb3dc301c70c9466
SHA1 ef4f85eb783d561719cbcac03bd0f2a57f9dd118
SHA256 fc85a4a2eb31593dfbbb5d379b6e0c8b91817c1c822078cffaf2718ed2bf6df1
SHA512 595d04999136900d9187f0b73cf1185fe2a64a4c989c2491f7100799b4ce98c43390aa1bf12c503f98f471177364c21240eee205e9ba7be3733742d5e907d146

/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 cc67288a688fad122e80192a45a02e74
SHA1 90ef24796b188fe0ee64d5b13fc8168469b4b8a8
SHA256 8affe8fe2ce344175436234b97e2e50d86bd9a329e18f3e591e44e7c61a8ed00
SHA512 5736eb65500a226205b5cccd82f3712ab52c9e6438d12f11909672c774bd1914d105d44f9bcd07ebb88becc1fc905660b6f4ead9ac5ab9cb2d1ec980df085094

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 19:33

Reported

2024-12-06 19:36

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

142s

Command Line

com.qfbpgpng.xosjjkk

Signatures

Hydra

banker trojan infostealer hydra

Hydra family

hydra

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.qfbpgpng.xosjjkk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.108.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/tmp-base.apk.classes7083311778456213479.zip

MD5 e561110f38c040bb42b9833135d483e7
SHA1 6fe8b80ec5454d89b8b222947b6fdd9b18df9648
SHA256 3a12930596e80981b68528e787b51ebfd86135d08825f03d4a954a8badbae766
SHA512 41e06731fd3081c01207cbe3f6e67c6baa2209cd39355743b28fba60b27c7c0e8dab23368854cbd848fbda46769d90ce67562d300dc5fa438afb775869f234c1

/data/user/0/com.qfbpgpng.xosjjkk/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 6d4c8d4b9b4cb486fb3dc301c70c9466
SHA1 ef4f85eb783d561719cbcac03bd0f2a57f9dd118
SHA256 fc85a4a2eb31593dfbbb5d379b6e0c8b91817c1c822078cffaf2718ed2bf6df1
SHA512 595d04999136900d9187f0b73cf1185fe2a64a4c989c2491f7100799b4ce98c43390aa1bf12c503f98f471177364c21240eee205e9ba7be3733742d5e907d146