Malware Analysis Report

2024-10-16 05:07

Sample ID 240723-x2fygatbqp
Target sigma.apk
SHA256 ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e
Tags
discovery sandrorat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e

Threat Level: Known bad

The file sigma.apk was found to be: Known bad.

Malicious Activity Summary

discovery sandrorat

Sandrorat family

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 19:20

Signatures

Sandrorat family

sandrorat

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 19:20

Reported

2024-07-23 19:22

Platform

android-x64-arm64-20240624-en

Max time kernel

65s

Max time network

69s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 majdazar.ddns.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 www.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 0b953ddae3333470435a6eb2ad34777b
SHA1 0bf1a8bcaaad16bf386856d44b6963277091667e
SHA256 aff91b0d5fb3fbc593c2fe72575b9be6b239b16086a2bc58d41c4db4ac035195
SHA512 74246545d22bba2e063652fb2f9d619bd5ec0ba58118b2650ffed57b191c829b0b5b4cac0b2221e5181faf44c7ce0ae7c2d8de8e93e146042395a61f2b37d957

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 70ab0184149f2a2235ce82b245bb5c3a
SHA1 ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa
SHA256 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f
SHA512 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 42310b1774a00226d1bcdec0dc971ded
SHA1 1b2444c8cbf32c250c8f849ce11c1df4c7bbac34
SHA256 57e4531e359e84b7e5611cca662b8b5130eff3bee93c7b90109ef9d0002f9496
SHA512 f359b0d3b36858b91f0c797ce5d042014dcc4059da64c630615affe995090abef75192ea01eea826ca13b83b8cbc5fa73ff2c50320ad3329d241adcd2bfd1c69

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 a85df394020f7c7d251a12314b712ae4
SHA1 5d3621f20ac1823af74486bac93cead10b8f2e80
SHA256 74fd4e4470927fe0d20de21274eb9f80b8a46d24841e5b96343d632962e8901a
SHA512 9c66363e3be64997bbcbea85951f2447e04cd572e50e80373ebcafc64d20edd1aebc6736b88cb4f3a1e44aa05d7977441aa056c14c43ee315f7eeb30675ccaaf

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 7be27866d7cb631c993ecf01d32b4e5d
SHA1 723f9fc4bd363202bfa7cbea381424cfb8248102
SHA256 b2d27e3fb2bfb4d8b82b3c739b6f6446d39c85ff3e1c0e42b8692102484b6728
SHA512 80156432b4ab19e187e2355486e09f0330e499b15ff47cab921da6ece6c3901fcbbb2ee60a450258ea4f9d924971a9d2ca9d6afec892651a58cb4b0e96a9b511

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 221df4edf503c794f59438dcba2b4d8b
SHA1 ef3b52db91785a1a0141331ede191fb08a520a80
SHA256 02963339ef9d9a0e89c807f8ca1a1730dfc654b76d10bd39b0f5e5f73cba29f8
SHA512 d79919b49f16f8d390ad3e4669d240426300661319d65346ebe71a2d4611b2358ae3190f1897d0c5308b84314cd3a564b251137cbca1a3176d072d332a523ffa

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 250ffc68d028e4d9e0cf51054ea92ce6
SHA1 fe64251d0fc064a20940bcd8f8771c66e74f5af8
SHA256 97d4539a65ba80f351a89c604e18e569387e814de783f7fa930f8e645ad9e52a
SHA512 c8ec6202be1d8190c307d8afb62ef1d041f9ce9832af69cdcc64ae8c134815f46a761bccae549a4d9a83a12ed0a4780f4020afcc2abf96b44f11aff1c957170f

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 913f82854f2a390fd699fa21cdaa237b
SHA1 638e22f46fabfce72e427e741c54ffe689841e8a
SHA256 1eedb8780f1ea3dd123e33eccf42ae7360d92b541630eb97a15d2e3601412fa5
SHA512 34534d4a366e57cd82fe6664bac38db45ef1ac6ad1a047af71300b32f6b6bbb210898e3b6bc7c20adccc2c58e75c5f41aca32ed137896ad40e0b9b75607412aa