Malware Analysis Report

2024-09-09 16:37

Sample ID 230823-n2lpaabh94
Target 4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044
SHA256 4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044
Tags
evasion ransomware stealth trojan godfather banker infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044

Threat Level: Known bad

The file 4067b5b04e75d56b634fc0a62641f993c0e29c0a24e31a1170dc69bb312fc044 was found to be: Known bad.

Malicious Activity Summary

evasion ransomware stealth trojan godfather banker infostealer

Godfather family

GodFather

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-23 11:53

Signatures

Godfather family

godfather

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-23 11:53

Reported

2023-08-23 11:56

Platform

android-x86-arm-20230621-en

Max time kernel

574617s

Max time network

141s

Command Line

com.reallybadapps.podcastguru

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.reallybadapps.podcastguru

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.238:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-23 11:53

Reported

2023-08-23 11:56

Platform

android-x64-20230621-en

Max time kernel

574605s

Max time network

155s

Command Line

com.reallybadapps.podcastguru

Signatures

GodFather

banker trojan infostealer godfather

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /apex/com.android.runtime/javalib/core-oj.jar N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/app/com.reallybadapps.podcastguru-X9RZJwEt92SzM2ze-KG-PQ==/base.apk] N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.reallybadapps.podcastguru

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 172.217.23.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
DE 172.217.23.202:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
NL 142.250.179.202:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp

Files

/apex/com.android.runtime/javalib/core-oj.jar

MD5 7e343cbc45b618d05182d74bd61826b2
SHA1 02ee96263b3b967e570e8ddb1fa36cb21032b71b
SHA256 324b5af2ec2d78bb57b1552f429af51ac8d65f7fa277217ae8d4371ab14178d1
SHA512 48cbd8a5b246cf9d6ec16558ab12af131439837094c63a64046de384da933593459fb1aec126393bbe3b2b8ca19437f38b68364c9f158023a7b1a35e6901c705

[anon:dalvik-classes.dex extracted in memory from /data/app/com.reallybadapps.podcastguru-X9RZJwEt92SzM2ze-KG-PQ==/base.apk]

MD5 47178b2700b35894347269c45bae0960
SHA1 e12fc7f3cca154ff51512f3d0f4b3baa376c305e
SHA256 e8641c7a6a62d7c47b78c605d3dab36e0398df9f804813dc80fbf09b3eef258e
SHA512 61ae04a7de7fa491655c5dbefcb56a3a4996feca27612d16dfb272358904b1a6d54bedcd3cee1ef8b758414c7ff950db2d5f063ce4a03d4f3705beb3444e259f

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-23 11:53

Reported

2023-08-23 11:56

Platform

android-x64-arm64-20230621-en

Max time kernel

574537s

Max time network

150s

Command Line

com.reallybadapps.podcastguru

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.reallybadapps.podcastguru

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 142.251.36.34:443 tcp
DE 172.217.23.198:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp

Files

N/A