Malware Analysis Report

2025-08-11 00:00

Sample ID 240518-xgbg9aae34
Target Codex_2.621.apk
SHA256 31531d515ce40ecd4f674b34856e9a149c96e94f71a53b5127cee71357b646eb
Tags
discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31531d515ce40ecd4f674b34856e9a149c96e94f71a53b5127cee71357b646eb

Threat Level: Shows suspicious behavior

The file Codex_2.621.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion

Checks memory information

Checks CPU information

Acquires the wake lock

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:49

Reported

2024-05-18 18:51

Platform

android-x86-arm-20240514-en

Max time kernel

5s

Max time network

34s

Command Line

com.roblox.client

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.roblox.client

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.195:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 23.215.232.238:443 clientsettingscdn.roblox.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/com.roblox.client/no_backup/com.google.InstanceId.properties

MD5 dac35c6a422ab572e1409fb9f940c24b
SHA1 adf1355d11ae8e13e536aafffd2d8d7a92bdb5e5
SHA256 a25e9dfb61ece3dbc5706b52fcbdad05a4861646e500ac660b6e47d94f63597c
SHA512 3161a58d30fe946fe74310c7940f4c02b1401266c011d8517d2c9db5654f83b7f644f2feb155201ae1c020e9dfc676402729f954fc69803464fd1e2765b80a04

/data/data/com.roblox.client/cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.roblox.client/files/PersistedInstallation4624509065037252809tmp

MD5 6b00dd2ab482ff2427fb0efdb6cd646a
SHA1 b3b6589e23212ba36a934bed40511b0b631373c3
SHA256 70d5d1d83b85616782441b3b2601e54d5e1dcbb1895af43817c7bf7a2536c6ba
SHA512 bf7ded34f20fdffe49f7d2d4cd7a152aa9ebfba5de6b6108a0e26e1c5f3a202cf62eaf98cf115dfff7ab28256807eed7893bc5341d1132287373c810409e6c95

/data/data/com.roblox.client/cache/journal

MD5 bee12dcafa2d76cd86166d375d26d252
SHA1 cb637ccdf0cc6d575ce9e7665606cfd49eb6dda5
SHA256 101a2f52f15d9b3c1b17bd42743354f02145203e885ed4cb54473722ca9fd7d0
SHA512 fb418ed9637c61f875efb44ece61604028aad0603578d059d4d0226522a8dcb7b420065d5001b0f1b0a9b8ce514aed4fe53254359577dd1c9b945f2f4f756039

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 bffead343c5334cde8e9d5ef9797ad75
SHA1 8a11f54df8f98d2ae7ad1376c0ee86038c08de94
SHA256 bee9f1f474b757f4fd133019deb31ead606fe258a10af55d0b3fb55b8c8e0fdd
SHA512 9064ea05de3d3b4f359242a862d83384961d7a5bdcd472f0b51b3a417e86863abea398dee3d1ced451230f4ab699192ffa8c8eba2fb5b4431ae0652975846f04

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.0.tmp

MD5 57b27a9be45cffd06ea5cfd4fce974fe
SHA1 14e0a5cb5626fbda8ba80b044708befc401ea125
SHA256 33b449e6e6bd5e18203f4f023a4971e6ebc41545c04bcba4a4529cda4062d557
SHA512 422276bb181ba59e6a8e70f68527fea16988e9ace0260de570f0137d8e7a56aabad0ecbb6c67d706066cc922b69c1cdded64c725228b57a6dae0d0f0d98fa111

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.1.tmp

MD5 39cc03f4dad8602327e2af82859a7db7
SHA1 fd8df03b8faa4133096cb26993be9d911be27159
SHA256 f69272d8be5168e51be6516990871e3b0f826b866916322f826d05039194fa89
SHA512 ebbd31edff8054938997d111412310b40fe25f34b5330555f8a4bb0a0b9f3b30e48402c302b0fa06d633f6c47589d30372750d5f571df2673df525d9714978b7

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.roblox.client/databases/google_app_measurement_local.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.roblox.client/databases/google_app_measurement_local.db-wal

MD5 7baecdd2d658c83c61f5eb1adf15af51
SHA1 43d57a96ffca3c6a9eb7617778eed86d3bf9ff0e
SHA256 e84bae51d22085f441ca7431004372d8181644875b512a5900846ef9ab93129e
SHA512 d6360fe1520ea3ee0b5ff79357c976161e2166e1b307b627b1dadfe89ce291ad5f27c269d63d90d9a61bdbd4fb9de0adf2a439ce019340ce09ab3f4bc5acaad3

/data/data/com.roblox.client/files/PersistedInstallation8695817922069679322tmp

MD5 71325675a411b8ef2c0e145e47609055
SHA1 fbd2d625cd9d9a610313e01c58fb102e52a7b864
SHA256 b41607aeed4087b6b2e9fb63943a9622c390c4d9cfab0df52a9f7aca863f541d
SHA512 1d7a645435708b19d43aeda038b96f1de2530909064931d4f150a730145438820a033c6c3df3c4b8b6618acbf2a5198c805290c9ebc8c5039bd096b655754f25

/data/data/com.roblox.client/databases/google_app_measurement_local.db-wal

MD5 4818b33836bf6ecd9f1dc6a0e1cb7484
SHA1 a602da0493dfcc0277f8ff6f1e299b21e75dfac6
SHA256 007752aa2ac488d0b2a8534ef76d8ce15632bc13e62203e4d13f44f37c2a1f52
SHA512 8cea354da2f5795e232de6a763cb917cca6461a7f6ea6a8940222148b63d7905625c7a226b9906ac67433a1fa24cde28df6cf786548b57325f9de15570612c5c

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 0b8166755a47f59c523fdcfd93ef4a0c
SHA1 798ff86d06ff095e6826be3d76a74ad944362a7a
SHA256 380d8fd53847098d4e82858504914ee5f68bc219de8639645f3f6dd1951aaba1
SHA512 0d3726591fa9ecd0557e666f0834e710f99ea077c39b8e50af88e85f189def5ff00cdc2626604c7ef3ade07bdde1fbf342922dc1ededd3cbdf2248a1ef29c091

/data/data/com.roblox.client/databases/google_app_measurement_local.db-wal

MD5 3f82464f8f2bf3311682d071588fd689
SHA1 4b6df48630a61779a7ba113766b8e6166513c354
SHA256 4fff544834159f459ee5ebfee653a61bb7dfb7fd913bf7daa48a6d798263a2e3
SHA512 5b6de9ccf2e784d9fb7c88834d7b7e29725e9f8b22509cf7583eab68843b0eaad51757506f859e66b76dc345fc53bb1d362b122311fde95158859fa2437d10c2

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 d8177fcb3406abecd8531427b4f65592
SHA1 3850b936d7c9758aef0785bc6547dfe89453edf4
SHA256 50f119fe386fd0a807b79db692af68685c44d71eb4a7f7c648af25a3bbf55742
SHA512 4be05e2e6b727b28dbc524a3210057ea33f3e8d1bcf240d0a52e1ef431880b5d11ae7996b84e6ee1436cf9746bb4c808fb9cc4821b523befd5bfa5d5b32c4043