Malware Analysis Report

2024-09-09 16:33

Sample ID 230313-rqp44scg71
Target a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd.zip
SHA256 a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd
Tags
godfather evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd

Threat Level: Known bad

The file a14aad1265eb307fbe71a3a5f6e688408ce153ff19838b3c5229f26ee3ece5dd.zip was found to be: Known bad.

Malicious Activity Summary

godfather evasion

Godfather family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Removes a system notification.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-13 14:24

Signatures

Godfather family

godfather

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-13 14:24

Reported

2023-03-13 14:26

Platform

android-x86-arm-20220823-en

Max time kernel

3676758s

Max time network

157s

Command Line

com.thenextbiggeek.squidgamewallpaper

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.thenextbiggeek.squidgamewallpaper

com.thenextbiggeek.squidgamewallpaper:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
NL 142.251.36.14:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.thenextbiggeek.squidgamewallpaper/shared_prefs/com.thenextbiggeek.squidgamewallpaper_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.thenextbiggeek.squidgamewallpaper/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/metrics_guid

MD5 ef1d8694183d17127ac8b6b6fc6fa836
SHA1 35e8599ad78bb9b812b0c46d810c60102f7fceae
SHA256 1a7d4becbbe9a6b9f832077515f346e32195d6100881d6dc834381c22bd2c053
SHA512 153f9e0dcc8ba38d52783a6e7422073c583dba806ed97c07b40f8d5003404fcdd54dba7564656fe41b8c28fa6abd9cecc8b21b8f2b08b0fd5f85ee5784fd2379

/data/user/0/com.thenextbiggeek.squidgamewallpaper/app_webview/Web Data-journal

MD5 8ef7f01700995d414873ed8599a0bc4f
SHA1 6ba98763891dcb943e657a99d062cd9f41e34f95
SHA256 5ef0e9464f2412e8ffc24f27b97fd792b9451c78c4e47ec87c51c6e4e62bede9
SHA512 931c53f8f01f80725de696f2a561bdff6686fc44401fa78cc5c6e020ccde8f274f7012129ee75da6012b065bf1a1c29ac748211ffe7f79326396f52665ec6937

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-13 14:24

Reported

2023-03-13 14:26

Platform

android-x64-20220823-en

Max time kernel

3680359s

Max time network

131s

Command Line

com.thenextbiggeek.squidgamewallpaper

Signatures

N/A

Processes

com.thenextbiggeek.squidgamewallpaper

com.thenextbiggeek.squidgamewallpaper:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 t.me udp

Files

/data/user/0/com.thenextbiggeek.squidgamewallpaper/shared_prefs/com.thenextbiggeek.squidgamewallpaper_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348