Malware Analysis Report

2025-08-10 23:59

Sample ID 240518-xhw6caab3z
Target Codex_2.621.apk
SHA256 31531d515ce40ecd4f674b34856e9a149c96e94f71a53b5127cee71357b646eb
Tags
discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31531d515ce40ecd4f674b34856e9a149c96e94f71a53b5127cee71357b646eb

Threat Level: Shows suspicious behavior

The file Codex_2.621.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion

Checks memory information

Checks CPU information

Acquires the wake lock

Checks if the internet connection is available

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:51

Reported

2024-05-18 18:56

Platform

android-x64-arm64-20240514-en

Max time kernel

14s

Max time network

82s

Command Line

com.roblox.client

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.roblox.client

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 216.58.212.202:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 23.215.232.238:443 clientsettingscdn.roblox.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 23.215.232.238:443 clientsettingscdn.roblox.com tcp

Files

/data/data/com.roblox.client/no_backup/com.google.InstanceId.properties

MD5 5ad40a6dbeb4061fcc1251102dd5f483
SHA1 807d6e72c0a75ec586726db14edaaa51773e5a44
SHA256 cee7490a7730a28460b2a744bccc54c398339ab265c705cf81a8314d0022e3d0
SHA512 fbf161cdb69c51f43632a3740f588b19b5cbe35d222ebfe5eb82374b1ed679e7ed2c3d565e47783bea14439a1ed4253213ed8ed74db2a1e14bfa001ea560a2f9

/data/data/com.roblox.client/cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.roblox.client/files/PersistedInstallation5510036263777541640tmp

MD5 5b909c00ed936cda91142ab74c83aeb6
SHA1 ca65ecb3a67c035b64a06c2af5356b172b1145db
SHA256 6e9d5ec1db9060fef50e280afe1fa164eee2482d8a0ad7734f1ca9e2f65cd916
SHA512 58c2354dfeae607df4c4ed84d3a00ee5163e923a6a5888af17eb86da9b64f080c9470ee49e2a9fb8c98f23ef9bae98f4d97de032b124015463bfe4a4bf518428

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 594caf70098add155da18ef2811e6190
SHA1 6fdec5f68154c3b1bae6f7a907b8e94a6d38f247
SHA256 9421816e93635145d45969f93f8175e63215afea608cb12c5c4df96cab114bc4
SHA512 2ad0249779c36c29bc90290d2b71fe5c656c8831a6357c7c12ebdbe44f38c9490d9ccf99d0336f9678910d61f41304613f57fc2f5406a90d616f3527c72077ff

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 41ecf66f9fe3a5a8d593972931a3e3f7
SHA1 b579b6d3bcd6466791bf51a396c16184627f2424
SHA256 76704ddc66c18a47792573451f0c4fda9514ea75b9de065958667427efa7d8ab
SHA512 049472c185b829e2b564729977425ca10238047e10ee4d713c88a385d4203a01e8efefb313a3f8374a0eb8ae7771c9138f966243d4f7b89c9190228550ca2d6c

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 1a13fab49b1b17db0d594269306e4d5c
SHA1 2d9459c1846f29660e73c4e2c4f6f7302889da23
SHA256 516a232d1e0856fb02811bb361f6a0e8e65718491c13c747e2e24843495b3f0d
SHA512 71af7c61e31b03cbfb32788fd92ba4c0257988aa3c073650cdd62d5d05072f9ccfa704951e59003a70150c0c834efaba470f6fc5bb13b24bf91733aaad19e520

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 3b5ecc85e09201319d470ada2efe3183
SHA1 d5aabd71f1cf06e3fb640375d6e28058b6dec873
SHA256 18148fb117162596dddf5f0aa239166e82bfeb7de1a7f37d2d3bb3546c5f15b8
SHA512 809ff09853079004bf0bc45be6aa297677d051727b0216e96d1232de89e57ea36a75a2aef7dee5eb9bbd2f543004b9c555ac1a583c657fbec2c3a121801ce26c

/data/data/com.roblox.client/cache/journal

MD5 ba899779dbec35cdea6ac69590f30d30
SHA1 5aa681a81b50f49825ff8f7764f51a276db2e84e
SHA256 48444b1a2a0adddc7093e07510dfca315409a6c094a08e9b514341e5be9f8fe4
SHA512 f872bbd8539a1bcc396311f6389899ada584cd82ccb359aad95925b2978c49e7ed1b2105c14e802ab31e637e95bac17fd8bad70f682bd51c86d0a02365ad7eaa

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.0.tmp

MD5 bd4795a6bbf5f30f0bba36c59c2c66cf
SHA1 45ac20384d13266716751efcf4482715285ea12a
SHA256 c3e4f84519ad487c6ccec925918f6d7b859b51d964a5896936b688d1c898bcb8
SHA512 33fb09b8c2bb6d2d135e8545844a78e2a0bc97d6ed672b28b96fbfab37e4d05db440f54f6349a2131fdda3469d2e72c9885bf1a9924787f555f5aae3e538498a

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.1.tmp

MD5 39cc03f4dad8602327e2af82859a7db7
SHA1 fd8df03b8faa4133096cb26993be9d911be27159
SHA256 f69272d8be5168e51be6516990871e3b0f826b866916322f826d05039194fa89
SHA512 ebbd31edff8054938997d111412310b40fe25f34b5330555f8a4bb0a0b9f3b30e48402c302b0fa06d633f6c47589d30372750d5f571df2673df525d9714978b7

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 3c3f6ebcf3daa35ccf23ac71f4247eb3
SHA1 995e1f56892197702df8ad5f8ee5ea0452d2b20a
SHA256 ffeab717c76a77b7cd64f952f68195edb2f225a2e06e8e2a52ca10c72da578de
SHA512 9a3d7df876d60079481ee59cd12d91615648c6f212dc671ef4c9affaa2939a2c0e8a3611383e3026b0b2a78eb92225a210f4fc0adfa9b86ebcfc4a0d486e6000

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 6d4c1b764c3fb99e8df25e73d6ba9fd7
SHA1 b14737adcc0ffe3b84dea2abcd5a17a539cfb092
SHA256 6b5767260cf99738bdccbf02d993b301b8cdcdc29e594e21f41ab5845dbaf360
SHA512 d5c760277e3b1cfc226114e7e3e1f402781c7d4a1a3ee03e3ff4a3150901fce28aa50aec18630692d8310c8d54ebba4d661e97deacc41726370c48e1ba1474c9

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 caaa6cfc94d4e475c71ebd6ad510da1d
SHA1 5187772c83af05ee76e13452af1df689575760db
SHA256 692bf28bd311ebc785d63d4355f64107726cc3f18a9b0864fa52ac3a081f669b
SHA512 cd9fd354915eb11633e9ff4028ec795686281bb20d5140fb3482b99b2cb80b1bdfb9a591fe76cff9b3b455026fedd522201a00b9b40bb1e04c002ee657559c66

/data/data/com.roblox.client/files/PersistedInstallation3308665091173506947tmp

MD5 124f0f00672ff5d8befc0119c0e96c81
SHA1 5294b21ed6cec3990a3221abfc36be6fc0871a53
SHA256 5a233040841e4aeded5c6c1dd466b51906d5d252285d4a099a22a26da9993c9a
SHA512 251109896ce9a535085d6ee02d63fd0e787567bfc1534df7a2fce0c90a5e3381e5fbcaa39d829a861ae4fe99a8ff76fb525c9055bc8af69feaa31b6ef347e8ff

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 ddb7c740f5c4a588a89fd998a0e57656
SHA1 2139cdba05c2cda8dd376f574947109f5f94b0a0
SHA256 a8eb59af3d0dfa7711621c7fde107d6b61362fca8fccbfaadcb865d8ede55fd1
SHA512 63dd7597c1caf60ba98bffb5be007fb05ee75f997b71a81914175659793f84fb915cdd943733423d1c73a6c946fd4fdbb5e9f6d4a572dc4ff8af42242d0eef9e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 18:51

Reported

2024-05-18 18:56

Platform

android-33-x64-arm64-20240514-en

Max time kernel

9s

Max time network

74s

Command Line

com.roblox.client

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.roblox.client

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 216.58.201.106:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 23.215.232.238:443 clientsettingscdn.roblox.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.234:443 remoteprovisioning.googleapis.com tcp
GB 216.58.204.68:443 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 23.215.232.238:443 clientsettingscdn.roblox.com tcp

Files

/data/data/com.roblox.client/no_backup/com.google.InstanceId.properties

MD5 e474fe69a60f5aa8ec4b6e03ecc55271
SHA1 a67e42c9255dff77d77f2b53f815b56bb817f8fb
SHA256 527189e6703f8ce540ffd6eaafdac263bee9c447380f53cf1398d88339f82bd0
SHA512 b749b1a5867c680858ff8d6bb664a1efd9a038075d32d6c1c58237baf24c07e13991d35e9447c1897d0100bdbcad0f157023fae559aaf521e2d05c9d3ede78b8

/data/data/com.roblox.client/cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.roblox.client/files/PersistedInstallation2421952480786092757tmp

MD5 897651ae7ef8ca8ad0b6c0b45c0ea383
SHA1 7b452dca66a342e85279003a2cc2e1c009815d35
SHA256 0e93db069f131f210f8172f411af1f18e1838f06981d556a3d674f9eb4e0e70a
SHA512 810f9aebfdb64b71303e8c0142dd0bd94d9d5b56fae180f4fd0dc9d16f92f668c0a967ec940d887630302fdfe1edbe343d364648978b94db562ee8cf8646bae8

/data/data/com.roblox.client/cache/journal

MD5 ba899779dbec35cdea6ac69590f30d30
SHA1 5aa681a81b50f49825ff8f7764f51a276db2e84e
SHA256 48444b1a2a0adddc7093e07510dfca315409a6c094a08e9b514341e5be9f8fe4
SHA512 f872bbd8539a1bcc396311f6389899ada584cd82ccb359aad95925b2978c49e7ed1b2105c14e802ab31e637e95bac17fd8bad70f682bd51c86d0a02365ad7eaa

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.0.tmp

MD5 b2e7765b22350727eea5f92ca08afa75
SHA1 799ab31084e80a7a263b6cbed970cfafe71c4efb
SHA256 64409c7737701e926bcd39f48f4f03d63cea1386972b634e0b7f59d8a04ba676
SHA512 ced56a2fc3f1c5704ccb13d4f30ffae2ba7db180600c6ecf16188d635d763d92efedccafe5bd1da46453c1ae55afe32f1f4fe79a5216716047e26a48b52a519c

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.1.tmp

MD5 39cc03f4dad8602327e2af82859a7db7
SHA1 fd8df03b8faa4133096cb26993be9d911be27159
SHA256 f69272d8be5168e51be6516990871e3b0f826b866916322f826d05039194fa89
SHA512 ebbd31edff8054938997d111412310b40fe25f34b5330555f8a4bb0a0b9f3b30e48402c302b0fa06d633f6c47589d30372750d5f571df2673df525d9714978b7

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 86e82cdc137f32d58cccd8e27a729258
SHA1 9606a39d302502d45016a6f13cc7ce5e6d01ca0e
SHA256 eb42849d7b6641a8e7b267f2c415c8f3c8c600d739c113e4e47e8bed64e768b5
SHA512 e977140d86de81b4b0d1adfb5c4dcf82e4ece1d003a981adaef5dce81aa8f6fc3572eeaf972321dfb8c102ac4c6d56fd8e677553ac8baddd716d1ef58f99eeee

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 62ad4a05cbdca7f47b3206b7dbda487f
SHA1 4f4044cef7b7b1e5c6184ed9025267fc92bf0cd3
SHA256 18b909096c7c61d51ab076ae8e562effb0d4ada28e2a4ecd0e6b88ef58f6b2a6
SHA512 0936531ed1b2b356a247123200739a43cfc765469ab47a424dcd6e3d1176092a212b0a28591d07f8c2d0cc9d2e0eeddfcea8dde314c2f9343783c61075b071a6

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 3addea365bc3dbcaf04982099f647034
SHA1 2372b7f820d4dd9425b53286b68f472c46a3a416
SHA256 7fb9162dbfac1752bde3d0f2291ed65162fea8a33e72a8db9c6d96c3d4d8ecd8
SHA512 ecc01c2fd9b8d07c872510238866299d9a8f76ac8193dd8376f650a3f3e8107a0a4255f412ec9db72239b8bf23133721a5d184ed0577d80d021cec696233afb6

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 ca6ed337ee7d3f68823e5594f10f8751
SHA1 bde6d618a34cfab4bac26ad931e422e39fd8714e
SHA256 0bd47c3aa151a1a1cf9c5043c71236b9a3611140c324421e78941c640d3cb2d7
SHA512 8c7cf5666afb0e777b0c59d205234918bf9df71df2de3a0c03fa17b8d99a42e5a7f57e4a80cfca185db7cccd8f5d3f6efc31390cf5b9411938bf2a149dc1e8b0

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 be6b3cd7562e08887cde04cb2ba1a849
SHA1 5e83fe1c9ffdd1908d3b1254128a80af0ca087b8
SHA256 964ebd6fe950f3a805d7613fe1e68bd5103cdeb2e6bc94abf1c6f84d69f38823
SHA512 cda33dc2400efbd98bc9ef80133c7be3bb70696873aac472f12104530e90adfd5a456482a52c11b376850e20cd39555341696042c17aa3694328237e858256cb

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 0ad9b50ed66cab2dcad5e7446859b840
SHA1 9e98b17d7436e7657095a83e33bf7dfcb613d2e9
SHA256 ab00900bc932d74b8402eff31ecb49d6bc651a357af7c29b497d0b44eaf6c7ae
SHA512 b8547363d7be1d6c058c80631bb1c728af4fe4d14c9dabcedf21136513d86937d750491361d6fb7fe982a4b4e406fac766ff77813005050085a005415b0dba9d

/data/data/com.roblox.client/files/PersistedInstallation6795219386157038434tmp

MD5 c403c520c89ed39de8dd8d542fafb3f5
SHA1 fb33efec837ac067d25b9632d45c9b52b57b20c3
SHA256 0d0018f00922123ba6fa490ea59dc2175b6852d9eaa74254f29d8ae07d173f20
SHA512 0a9a832bb0dfe84adcc91cb622628a82f01106d2dc9f2b5a345909308d9963b3a852ee352e2c9dceab4449c66033e3c41b4a115adb656f0a91fc836cb5441d14

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 e0cdb65ee866cbecd2ec8fe3f020feff
SHA1 dee37cc217a32b638b075cbb72a6ba8beb504a10
SHA256 7b7af808a1da0362d5edf522c8492587d141383e90ddef5227b38054ba3b191a
SHA512 a4665c7b488dc9433fd23607ab63c35e39a7c32d614c12ba60d2f1c191381169513ecfd9609488c5912e53bb3a6a7a9eacf1f29e54f6edbdd865b73d80fcc751

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 858496e27312d5e25becc54720d7e16a
SHA1 e8fb8b4e6d25459ca8de0d0e4ba88609a4d91e50
SHA256 072e319b9e0caa2faba8a950d0edcb0fe7fd7e528a43f6d42a25ab33b16e2541
SHA512 00493d5521b3836564d58901ac908890d9ee17e49ce543f77111919f3c6f94b07476acd9a98c3f31e7155fb8a908d18ee4e53e1fada98f746ecb4a7030c69b7e

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 f0fd189b2b7bb133550d05ff73ce187d
SHA1 bda5b7abf9c313361c7bfd975949f13af41d8017
SHA256 c61077df02bcb9827eebc383ce42e3cb19524da7c4ac63d302e9a9aa8265ba22
SHA512 568909b7c4f51cd02a002fe5958b441e0d893e87cfa91f6846396fecc731595b04939a5373fd4d080f85a47ef4dd8dfcf875bd847e0e0039e651e7afb2fbb7d3