Analysis Overview
SHA256
ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e
Threat Level: Known bad
The file sigma.apk was found to be: Known bad.
Malicious Activity Summary
Sandrorat family
Requests dangerous framework permissions
Acquires the wake lock
Queries information about active data network
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-23 19:20
Signatures
Sandrorat family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 19:20
Reported
2024-07-23 19:22
Platform
android-x64-arm64-20240624-en
Max time kernel
65s
Max time network
69s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | majdazar.ddns.net | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | static.xx.fbcdn.net | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| BE | 66.102.1.84:443 | accounts.google.com | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |
Files
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 0b953ddae3333470435a6eb2ad34777b |
| SHA1 | 0bf1a8bcaaad16bf386856d44b6963277091667e |
| SHA256 | aff91b0d5fb3fbc593c2fe72575b9be6b239b16086a2bc58d41c4db4ac035195 |
| SHA512 | 74246545d22bba2e063652fb2f9d619bd5ec0ba58118b2650ffed57b191c829b0b5b4cac0b2221e5181faf44c7ce0ae7c2d8de8e93e146042395a61f2b37d957 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 70ab0184149f2a2235ce82b245bb5c3a |
| SHA1 | ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa |
| SHA256 | 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f |
| SHA512 | 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 42310b1774a00226d1bcdec0dc971ded |
| SHA1 | 1b2444c8cbf32c250c8f849ce11c1df4c7bbac34 |
| SHA256 | 57e4531e359e84b7e5611cca662b8b5130eff3bee93c7b90109ef9d0002f9496 |
| SHA512 | f359b0d3b36858b91f0c797ce5d042014dcc4059da64c630615affe995090abef75192ea01eea826ca13b83b8cbc5fa73ff2c50320ad3329d241adcd2bfd1c69 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | a85df394020f7c7d251a12314b712ae4 |
| SHA1 | 5d3621f20ac1823af74486bac93cead10b8f2e80 |
| SHA256 | 74fd4e4470927fe0d20de21274eb9f80b8a46d24841e5b96343d632962e8901a |
| SHA512 | 9c66363e3be64997bbcbea85951f2447e04cd572e50e80373ebcafc64d20edd1aebc6736b88cb4f3a1e44aa05d7977441aa056c14c43ee315f7eeb30675ccaaf |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 7be27866d7cb631c993ecf01d32b4e5d |
| SHA1 | 723f9fc4bd363202bfa7cbea381424cfb8248102 |
| SHA256 | b2d27e3fb2bfb4d8b82b3c739b6f6446d39c85ff3e1c0e42b8692102484b6728 |
| SHA512 | 80156432b4ab19e187e2355486e09f0330e499b15ff47cab921da6ece6c3901fcbbb2ee60a450258ea4f9d924971a9d2ca9d6afec892651a58cb4b0e96a9b511 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 221df4edf503c794f59438dcba2b4d8b |
| SHA1 | ef3b52db91785a1a0141331ede191fb08a520a80 |
| SHA256 | 02963339ef9d9a0e89c807f8ca1a1730dfc654b76d10bd39b0f5e5f73cba29f8 |
| SHA512 | d79919b49f16f8d390ad3e4669d240426300661319d65346ebe71a2d4611b2358ae3190f1897d0c5308b84314cd3a564b251137cbca1a3176d072d332a523ffa |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 250ffc68d028e4d9e0cf51054ea92ce6 |
| SHA1 | fe64251d0fc064a20940bcd8f8771c66e74f5af8 |
| SHA256 | 97d4539a65ba80f351a89c604e18e569387e814de783f7fa930f8e645ad9e52a |
| SHA512 | c8ec6202be1d8190c307d8afb62ef1d041f9ce9832af69cdcc64ae8c134815f46a761bccae549a4d9a83a12ed0a4780f4020afcc2abf96b44f11aff1c957170f |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 913f82854f2a390fd699fa21cdaa237b |
| SHA1 | 638e22f46fabfce72e427e741c54ffe689841e8a |
| SHA256 | 1eedb8780f1ea3dd123e33eccf42ae7360d92b541630eb97a15d2e3601412fa5 |
| SHA512 | 34534d4a366e57cd82fe6664bac38db45ef1ac6ad1a047af71300b32f6b6bbb210898e3b6bc7c20adccc2c58e75c5f41aca32ed137896ad40e0b9b75607412aa |