Malware Analysis Report

2024-09-09 16:33

Sample ID 230507-bcyakaeh43
Target 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0
SHA256 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0
Tags
godfather evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0

Threat Level: Known bad

The file 36163bdac9b43d6521603b64bf766fe20c0877e11f004e1d4a887ca7722267a0 was found to be: Known bad.

Malicious Activity Summary

godfather evasion ransomware

Godfather family

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-07 01:00

Signatures

Godfather family

godfather

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-07 01:00

Reported

2023-05-07 05:26

Platform

android-x86-arm-20220823-en

Max time kernel

4104993s

Max time network

134s

Command Line

com.shortform.app

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.174:443 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-07 01:00

Reported

2023-05-07 05:26

Platform

android-x64-20220823-en

Max time kernel

4104953s

Max time network

116s

Command Line

com.shortform.app

Signatures

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-07 01:00

Reported

2023-05-07 05:24

Platform

android-x64-arm64-20220823-en

Max time kernel

4104871s

Max time network

33s

Command Line

com.shortform.app

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shortform.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 142.250.186.174:443 tcp
DE 142.250.186.174:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp

Files

N/A