Analysis Overview
SHA256
4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044
Threat Level: Known bad
The file 4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044 was found to be: Known bad.
Malicious Activity Summary
Godfather family
GodFather
Makes use of the framework's Accessibility service.
Removes its main activity from the application launcher
Requests enabling of the accessibility settings.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-08-23 11:53
Signatures
Godfather family
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 11:53
Reported
2023-08-23 11:56
Platform
android-x86-arm-20230621-en
Max time kernel
574617s
Max time network
141s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.reallybadapps.podcastguru
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 172.217.168.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | semanticlocation-pa.googleapis.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 11:53
Reported
2023-08-23 11:56
Platform
android-x64-20230621-en
Max time kernel
574605s
Max time network
155s
Command Line
Signatures
GodFather
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /apex/com.android.runtime/javalib/core-oj.jar | N/A | N/A |
| N/A | [anon:dalvik-classes.dex extracted in memory from /data/app/com.reallybadapps.podcastguru-X9RZJwEt92SzM2ze-KG-PQ==/base.apk] | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.reallybadapps.podcastguru
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| DE | 172.217.23.202:443 | g.tenor.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | mdh-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
Files
/apex/com.android.runtime/javalib/core-oj.jar
| MD5 | 7e343cbc45b618d05182d74bd61826b2 |
| SHA1 | 02ee96263b3b967e570e8ddb1fa36cb21032b71b |
| SHA256 | 324b5af2ec2d78bb57b1552f429af51ac8d65f7fa277217ae8d4371ab14178d1 |
| SHA512 | 48cbd8a5b246cf9d6ec16558ab12af131439837094c63a64046de384da933593459fb1aec126393bbe3b2b8ca19437f38b68364c9f158023a7b1a35e6901c705 |
[anon:dalvik-classes.dex extracted in memory from /data/app/com.reallybadapps.podcastguru-X9RZJwEt92SzM2ze-KG-PQ==/base.apk]
| MD5 | 47178b2700b35894347269c45bae0960 |
| SHA1 | e12fc7f3cca154ff51512f3d0f4b3baa376c305e |
| SHA256 | e8641c7a6a62d7c47b78c605d3dab36e0398df9f804813dc80fbf09b3eef258e |
| SHA512 | 61ae04a7de7fa491655c5dbefcb56a3a4996feca27612d16dfb272358904b1a6d54bedcd3cee1ef8b758414c7ff950db2d5f063ce4a03d4f3705beb3444e259f |
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-23 11:53
Reported
2023-08-23 11:56
Platform
android-x64-arm64-20230621-en
Max time kernel
574537s
Max time network
150s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.reallybadapps.podcastguru
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.36.34:443 | tcp | |
| DE | 172.217.23.198:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 172.217.168.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| GB | 216.58.208.106:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |