Malware Analysis Report

2024-09-09 16:33

Sample ID 230427-kc9s2age5x
Target 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0
SHA256 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0
Tags
godfather evasion ransomware banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0

Threat Level: Known bad

The file 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0 was found to be: Known bad.

Malicious Activity Summary

godfather evasion ransomware banker infostealer trojan

GodFather

Godfather family

Makes use of the framework's Accessibility service.

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-27 08:28

Signatures

Godfather family

godfather

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-27 08:28

Reported

2023-04-27 08:31

Platform

android-x86-arm-20220823-en

Max time kernel

3252059s

Max time network

135s

Command Line

com.shortform.app

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-27 08:28

Reported

2023-04-27 08:30

Platform

android-x64-20220823-en

Max time kernel

3252023s

Max time network

119s

Command Line

com.shortform.app

Signatures

GodFather

banker trojan infostealer godfather

Loads dropped Dex/Jar

Description Indicator Process Target
N/A [anon:dalvik-classes.dex extracted in memory from /data/app/com.shortform.app-lE_up-Phnja_3GbfaP92fg==/base.apk] N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 216.58.214.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp

Files

[anon:dalvik-classes.dex extracted in memory from /data/app/com.shortform.app-lE_up-Phnja_3GbfaP92fg==/base.apk]

MD5 76032e97b10da4cb2f41336b104e0fe1
SHA1 4f5732510170db8c6745bd7669abf7d8dab0e770
SHA256 971e261cb8031b740e3b3615a10dc8b7973394925c577cff7f5b73df4dad9b2e
SHA512 36645a5d35b826ac2e8b1e0a1c8d313bd535013776b2e6a50f118b2ac50b5e89599ea72b969ebf564db19e04f0e706c16483de622854f8001b4731a48f43c56d

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-27 08:28

Reported

2023-04-27 08:29

Platform

android-x64-arm64-20220823-en

Max time kernel

3251932s

Max time network

28s

Command Line

com.shortform.app

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.226:443 tcp
NL 142.251.39.102:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp

Files

N/A