Malware Analysis Report

2024-09-09 16:38

Sample ID 230606-qk2ehsec9z
Target b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd.apk
SHA256 b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd
Tags
godfather evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd

Threat Level: Known bad

The file b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd.apk was found to be: Known bad.

Malicious Activity Summary

godfather evasion ransomware

Godfather family

Renames multiple (74) files with added filename extension

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-06 13:20

Signatures

Godfather family

godfather

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-06 13:19

Reported

2023-06-06 13:21

Platform

android-x86-arm-20220823-en

Max time kernel

2430524s

Max time network

84s

Command Line

com.pdffiller.l2f

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.pdffiller.l2f

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 149.154.167.99:443 t.me tcp

Files

/data/user/0/com.pdffiller.l2f/shared_prefs/config.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/com.pdffiller.l2f/shared_prefs/com.pdffiller.l2f_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

/data/user/0/com.pdffiller.l2f/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.pdffiller.l2f/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/metrics_guid

MD5 cfda485c67bca2d6784a27597275ccc4
SHA1 135451f63e102b1754f9b96d219409e7f2cd3f2b
SHA256 408cafb35698719e3e40b00d7ea072c979e22c9066ae76e9605fd8b244dc0ed7
SHA512 6399936dabb416682416fdf7aa835f29a792f27c83111c682c9eb4ba2865eb03726521c020c5d27d8b9b43c2c29468fd207f1cca7c69140bd236afdcb22107ee

/data/user/0/com.pdffiller.l2f/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.pdffiller.l2f/app_webview/Web Data-journal

MD5 4dfd896c3f66f05177fa93b551dbec09
SHA1 7a92835b8c3c33597e404ee456279b1a55a27d26
SHA256 b37a9e5fa94f834062a3c42d8ba42203ca8d4becd91f694674636cf9d745e0cd
SHA512 55d605ee5647f2e2ccf1fdbb1b67d81df349c318752e28f59ba30ae581027f864c5746ee1c5402647daf0bbead3dca782225b36d62f23bbd949c954e6d2fe309

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-06 13:19

Reported

2023-06-06 13:25

Platform

android-x64-arm64-20220823-en

Max time kernel

2430754s

Max time network

318s

Command Line

com.pdffiller.l2f

Signatures

Renames multiple (74) files with added filename extension

ransomware

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.pdffiller.l2f

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
DE 172.217.23.202:443 growth-pa.googleapis.com tcp
NL 142.250.179.138:443 growth-pa.googleapis.com tcp
NL 172.217.168.202:443 growth-pa.googleapis.com tcp
NL 142.250.179.202:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 1.1.1.1:53 waubgjmmr udp
US 1.1.1.1:53 uqoalyr udp
US 1.1.1.1:53 loqzmpossvsvhp udp
US 1.1.1.1:53 loqzmpossvsvhp udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.250.179.195:443 update.googleapis.com tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 34.104.35.123:443 edgedl.me.gvt1.com tcp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.pdffiller.l2f/shared_prefs/config.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/com.pdffiller.l2f/shared_prefs/com.pdffiller.l2f_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

/data/user/0/com.pdffiller.l2f/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/webview_data.lock

MD5 e8ba952e20818d7481ae40364379bfee
SHA1 6cf589dcf89fdb4a6f5ed9dc50305d1bf9291e94
SHA256 296efc0cc0a0406850eeeb4d433b647b72e48884b9d2ce4dde3a3cca2cbcfee1
SHA512 45730797a1511677c005ea93693e1b2ed16b00fa6995ea9ff3a8659c83ff049d68f1ab05a939e9c85df6f7747b22d53eb0dd5fa7e5e5b633b64ee30f70c60417

/data/user/0/com.pdffiller.l2f/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.pdffiller.l2f/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.pdffiller.l2f/app_webview/Default/Web Data-journal

MD5 c25eebfc09a945691bf8775ba676b329
SHA1 b34dcdaceb73428cde6979d642d5cfd80924a23f
SHA256 1acacad56cb12223c7f5622700348d63cf6cc9202085c5c124fb53381c284391
SHA512 150e7fa3ad155053a336f8ada250a1ffcf22b085128ee8d08c6d4a936cbca90c84177622bc8e09e00465719969cbdf57d383558d341111db511b1e00bed1b3fc

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 71cf26a7ffad6ffec5460d00cdfc5499
SHA1 57ff6228fa52f97066cf14b38f56e5772c35514e
SHA256 0dcd1f2a396a1865253e88f3cac5e5ae5291806591cb775f27a3d826d65ac4e8
SHA512 d2eca4f43c20b31df72417b1988ecc896ef340bb69c0f492fc75e9c9cd0da87db4c9061fde0e6625f75739e6c9c3cbbbb95f249fb679f2a188df25a4afd8c936

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 ff8fa0a8e741c3b5b783b725d45a3715
SHA1 d5a25e3fee5165e8c4017ab4dac2752057d00d7f
SHA256 381db93ba7fbe4e2d58782fe2bdd2d545807c389a79021bd50afb0d982337023
SHA512 bd01a80eefd9515e8b17675e4b66d78c4e01d2392e333e3d44d5de4ec981134bf31fa346637f94b80d305ce0a16d4d8e7997b7d9cc129eb631be183b35f13d6c

/data/user/0/com.pdffiller.l2f/cache/WebView/Crashpad/settings.dat

MD5 ecff19e93e16fad97f8e33df321e2cbb
SHA1 c1c0e66b9b2a1e6afd4cc7ae437850bd22f1b7f0
SHA256 c92787e7d202baf886006584b1cf22ee9a84f8d7e952197ec15ae71c8cd1707f
SHA512 7688f8e0bf81e1233015e118c9b76787cf59107e816faad657546bab92e55a379aa713a252191a901d5376525dce89fd25b152150f9e3b71283a622ca8352a3c

/data/user/0/com.pdffiller.l2f/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.pdffiller.l2f/app_webview/.com.google.Chrome.MhM2qR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e