Analysis Overview
SHA256
36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0
Threat Level: Known bad
The file 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0 was found to be: Known bad.
Malicious Activity Summary
GodFather
Godfather family
Makes use of the framework's Accessibility service.
Requests enabling of the accessibility settings.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-04-27 08:28
Signatures
Godfather family
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-27 08:28
Reported
2023-04-27 08:31
Platform
android-x86-arm-20220823-en
Max time kernel
3252059s
Max time network
135s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.shortform.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-27 08:28
Reported
2023-04-27 08:30
Platform
android-x64-20220823-en
Max time kernel
3252023s
Max time network
119s
Command Line
Signatures
GodFather
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/app/com.shortform.app-lE_up-Phnja_3GbfaP92fg==/base.apk] | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.shortform.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
Files
[anon:dalvik-classes.dex extracted in memory from /data/app/com.shortform.app-lE_up-Phnja_3GbfaP92fg==/base.apk]
| MD5 | 76032e97b10da4cb2f41336b104e0fe1 |
| SHA1 | 4f5732510170db8c6745bd7669abf7d8dab0e770 |
| SHA256 | 971e261cb8031b740e3b3615a10dc8b7973394925c577cff7f5b73df4dad9b2e |
| SHA512 | 36645a5d35b826ac2e8b1e0a1c8d313bd535013776b2e6a50f118b2ac50b5e89599ea72b969ebf564db19e04f0e706c16483de622854f8001b4731a48f43c56d |
Analysis: behavioral3
Detonation Overview
Submitted
2023-04-27 08:28
Reported
2023-04-27 08:29
Platform
android-x64-arm64-20220823-en
Max time kernel
3251932s
Max time network
28s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.shortform.app
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 172.217.168.226:443 | tcp | |
| NL | 142.251.39.102:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |