Malware Analysis Report

2024-09-09 16:33

Sample ID 230119-j49rnscd7v
Target 8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23
SHA256 8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23
Tags
godfather banker evasion infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23

Threat Level: Known bad

The file 8d07967b9253951b52c631383a3dde8513572b3c996c338819f4e12a7a60bf23 was found to be: Known bad.

Malicious Activity Summary

godfather banker evasion infostealer ransomware trojan

GodFather

Godfather family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-19 08:14

Signatures

Godfather family

godfather

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-19 08:14

Reported

2023-01-19 08:17

Platform

android-x86-arm-20220823-en

Max time kernel

3370352s

Max time network

130s

Command Line

com.nordvpn.android

Signatures

GodFather

banker trojan infostealer godfather

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nordvpn.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 216.58.208.110:443 android.apis.google.com tcp
N/A 216.58.208.110:443 android.apis.google.com tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
N/A 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
N/A 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp

Files

/data/user/0/com.nordvpn.android/shared_prefs/com.nordvpn.android_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-19 08:14

Reported

2023-01-19 08:17

Platform

android-x64-arm64-20220823-en

Max time kernel

3373963s

Max time network

150s

Command Line

com.nordvpn.android

Signatures

GodFather

banker trojan infostealer godfather

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nordvpn.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 142.250.179.142:443 tcp
N/A 142.250.179.142:443 tcp
N/A 142.250.179.142:443 tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 142.250.179.174:443 android.apis.google.com tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp

Files

/data/user/0/com.nordvpn.android/shared_prefs/com.nordvpn.android_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348