Analysis Overview
SHA256
bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40
Threat Level: Known bad
The file bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40.apk was found to be: Known bad.
Malicious Activity Summary
Sandrorat family
Requests dangerous framework permissions
Acquires the wake lock
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 12:24
Signatures
Sandrorat family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 12:24
Reported
2024-08-17 12:27
Platform
android-x86-arm-20240624-en
Max time kernel
165s
Max time network
137s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | googlesettings.system.net | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 03d2ddcfe39e53c4ccfef1e7025da9ad |
| SHA1 | a5605c354b167969d19564704d1e7c4d36dc90ad |
| SHA256 | c6ae97415c196180ab0bddd6c7e90d5a0ebdc9dc8a4de2deba8c981a6e19daf9 |
| SHA512 | 92ac9193ed83d327e59364ddc50454592baf86c15858bef17c0f9a464cbc31ddf7f2df1e7d461eb084db3e092cb839362d1a933676d9a057eb50fea0c06ddfb5 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | f553d76d0e3fd64242b0834f349ef2fe |
| SHA1 | 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d |
| SHA256 | 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985 |
| SHA512 | af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 70e0774841b5d163c5e786b19fc3c9e2 |
| SHA1 | 258869a444daf75fde174cb307580bf75e14396f |
| SHA256 | 023b9360989b75a8be5a157e0ab53b36d58c2dd2b4b9866abedfa360fbb420aa |
| SHA512 | f0ed1fc9b795166acd075756a62f1a13addccb337ad701577d36ae18967c30f405c04dbbb91643941f65e99c85212e2ba75c9a68765c59c73f70f483ce6df231 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 172bb3559d34bcf56441bc5507519b12 |
| SHA1 | 7b659235c0ef35fcb1594923b3e7cab0eb904512 |
| SHA256 | 2c1fe5d4ee45f89b0d47d2d956417c13961ec7d3970eb718d715a6fa53b9f973 |
| SHA512 | 0b9b7b8aba2b8151deb6c48ff062e8e634be0d9d874980e080aa4dd5fa28933416aa35300d733e6bd6f99d2508fce5ad5b445e7df4ab92ea06f952b2e2fbe4f9 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 366dcd0101303feb8e6d3b5f30a6e02a |
| SHA1 | 057d117b04ecfe1bba14df1e1283eae319047d16 |
| SHA256 | 82cd3095d30a0499fe732a916c2d661a3ed16027c8986ca83119eaa3bd43476c |
| SHA512 | c54eb01d949e2a19a34fb5017fb8927138436a6887010cd986d3a6dabe4860c77e26322854af2094710d728d2c3061fce67ed0f491d9f34df925be12123b8940 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 999910cf62fc0abe15e11fb276a4e10b |
| SHA1 | 910f688abde4cd693ee22fd400e9623b80d41dc8 |
| SHA256 | ced69d35cbb4344257c06ccdbad0b7c25a05e9c7124e03fa77ee63503073ec61 |
| SHA512 | d8c8fae1da6cef3578e54bade2347f8e9daaca6ca4bbe7db06a33d7c06e11a228e05395aae054482a7a6a17d59aa29330e6b9d1bc4fee9ad454403cb245d4179 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 225ff2943f069280fb3c94a1da4d2783 |
| SHA1 | f147f4c474f61b5033314e9e2628c87b857b40d2 |
| SHA256 | 1330a0185f0ce94f7458d214932319612b0ffd4e6824dfcd749b037f585e8d5f |
| SHA512 | 4dbfb833e9127ceb9d5d00cb5cf4eb1dc15daa687a60a04de427824e88dd2e76f38df972967b2c2ec31dff0efa1bafbd92f74e931336e883e23a86315b60799b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 12:24
Reported
2024-08-17 12:24
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
23s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | googlesettings.system.net | udp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 0e36370c7388fb8caf288b809f7bbc46 |
| SHA1 | 3d2e641e1738b0e6a732bdcb2b04c6394a3bcec6 |
| SHA256 | ef973a23566b540686e436a0a657f668fc7a17bfac8cb3696bd7abdb0be51bd3 |
| SHA512 | afee1bcef5f81c0d2fb9ae6759f6bcc286e85353e8f03acb8b17027da7c58991cc9cc2fba729d56aff8055f4e79539cde7e401ef906a77834771d4ff0b54538f |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | ab9b76032f3671e636504f620ed4d205 |
| SHA1 | 21e1e3ef5f95af48acdd224ef1f40ff12467521d |
| SHA256 | 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab |
| SHA512 | 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 100affd0465a4addb285574e6022cb42 |
| SHA1 | 8e6896f48a19669bbd1869ff1b017a7eae5962e2 |
| SHA256 | 585a5771e79d2bedbd79c898a85c2689c65fb88eb33ee3e81f884a1eb5b214cd |
| SHA512 | 7f5f4b9e24f8ba015432220a33844ace53e87dc0d2022e42b0a66884367c38d446c26fda2653e483f85238021f5d451afa5ba4203e03c28f0145ad4018835207 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | d091be3fe27f61b104b887ed7f7557cf |
| SHA1 | 9ba8693b95d4552047b2b2afc5818ff039c88105 |
| SHA256 | c8e82f19cec1af2968004772161f1210baf282293d1d2e72e97a08db08cada7c |
| SHA512 | 1906c91a8827cb709c3962069e739c5165b36533f2752043c07e8ce4d82501a323da95a4bbfcb28897f78906a1a05675f1e3599fc0c8e49d2a0d1451d93580d1 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 38643035c1e124fe44c8efb74304898f |
| SHA1 | d8e3304efbd791396cec78504453c781db8c39b9 |
| SHA256 | f8dc0d9ddd6c6987b55c4f47517d31af5e1b62cfd4ea566682c22298c7db8cc6 |
| SHA512 | 268aebfdaf3fc32ed53d07467ee88ecc272cd00982c29511e78d5ff222630df44712fce770c1fe0b7c13fbefdcfd75bef63aea25b1dc92aea3d335052bf7ed1a |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 21cc619a1a864ee67061805e7c2212fd |
| SHA1 | 9e7f72def852059017b649e9ca81ecb022b7fe65 |
| SHA256 | 42d8efcb7f308fa14dd407336f6032418452c0989687ab41f4010ed5b2499240 |
| SHA512 | 46850b69e173021667efc89981c77819ff253dba429447a1279637d343d30116f865f1753fa1664ff3e7ae1395efb52086886e6fff240dd91d004443e1ee3bf5 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | b0ef47bb16a922a86cbb369aa885f7ec |
| SHA1 | e308f1b540842461b2c07b1279cc00c7ec37850a |
| SHA256 | f60e7d3725e8f98c205868d29bbf8fa20f0b14fef87d1b32821ae68bf9962396 |
| SHA512 | 29749a2d0f57f2fc9eb45808deb5f18a6f9079a9d18c788414df3441aac249caa768c9a5c5f1ced9466647c87f4959948474d70499ebfbaa765421e0bebe5962 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 30c5534cc8e193d6d44d7f88cf958b70 |
| SHA1 | 0bd575b2d455d6312f5c03d66f1c98c1636481f4 |
| SHA256 | d9053d1f628d3c65bf30ce45e82d2c0bec1fdc1506537b9d9903ac881707054c |
| SHA512 | 3223db8fa8f50069c5ac9d223c9c2a881c308cbbbbf62ab0329beeb693171995e4752aaa0e755a6352ee2152689cd361220dba4900154e57e4f0a1f3958a5330 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-17 12:24
Reported
2024-08-17 12:27
Platform
android-x64-arm64-20240624-en
Max time kernel
165s
Max time network
132s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | googlesettings.system.net | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |
Files
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | aaf94dc218a99c2cd57e8b71c327ff52 |
| SHA1 | 2775b3ad171423384cf03cbc05dcdc9ce6427090 |
| SHA256 | 57a9e8bdbec7cc8d6ea18b176c3484ef5752dbfb822522140af0446c24d04307 |
| SHA512 | 7693adcd3aeadfdf6aad892c72862adf6f9a88fd697f44fcbfb7ff813af02b3b01bb2fe31a453f3f0eac16224c8f002d0f5ac386ac7e3b73181f8bbccb8de048 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 70ab0184149f2a2235ce82b245bb5c3a |
| SHA1 | ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa |
| SHA256 | 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f |
| SHA512 | 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 97d14c8cf5a681960d1ae5af803a9614 |
| SHA1 | b59bdc48aa157c41c4434a50cbe72ad839fd6f51 |
| SHA256 | f41bf013611d35e6f2f4c2c8d01917dc44a45ad46d82ad1661492459d7e939ba |
| SHA512 | faf2bdd538c2c764b9ef4567e3d1ad4f8d25a0099355fecf82f6de99fdbc5613f629553467bf2873c28f5aed9366a2b2e96db31af4ad34ad7fc54f68415275e3 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 9cf326c9af29ceff3bd76b029c6cccf1 |
| SHA1 | f7d30183cd1e631d013fc15851501aa26e9ab81f |
| SHA256 | 6a50db189bba7c0e0bd80fb7d58f1bcc9741133b10f4a7ea74eab8535aeea9da |
| SHA512 | 3ee6fd28e4dbbc9c86febb5a293400fc5484e168bde3f3848c7a3dd4d67640e4e2b4b8b394bb74b351a666d9a668a26422bd447b2c0d6401b45894879cebe74e |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 8527992e5713b6f2298520380249c0b0 |
| SHA1 | e462f450329602c1ee005c4a671c0d522d35440b |
| SHA256 | 62163ccc07f699233f06f37418d032cf9c30c34a435189c3a93231507f0aaf3d |
| SHA512 | 122881a708d4e09f23f64cefbe29decc965efde96d875369b2a44a1cd04f3dbea5b0a61db1339f36165efa74914799454a8a14e343a6f019df25e055ff2d4e06 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 5ff57eaff21a61e6c539403d044c216f |
| SHA1 | d882d19392531546bee0a088fa5c90ed81ac670d |
| SHA256 | 2a49060e3e67e20275aa13cde1ca5f26a5827f2661dd5fc61f0de64ddc1d627d |
| SHA512 | 4bb310dfaaeb7248f8400c40b0c5f5223eb34f87d809675f6a115a09c3944b7f2296d6f13a59dd3ddcc035c3a76f37c286fac998e1e89d76620b71b0c12d37a4 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 38b08c774dbfbdc3216435a17c5dc8b6 |
| SHA1 | 88fff1091410f98dd3bca859bacedef19b504d2f |
| SHA256 | 1705ef856bfc00be07a097a49616a5b2a2875a98622cbac23dbb1ec797c5983a |
| SHA512 | 0b7eaa0c69864fce7829b6517da802e2ed9e809b9648e2f10cc6ebb4924a65659d48cecc26c7d6b2c8069ba590c06fb2e03710adff83728a015c372ea967b5a9 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | a4563f10ffe669a561190f6813c78488 |
| SHA1 | 36d046cdc9f8ec5e2f8a4457d6e1dd9fdf93d625 |
| SHA256 | db70be1b56ff21ee509df483f1c2cc7ef488eadfc1152399b3951677480010a3 |
| SHA512 | 7c604dbcfe5614ef93fe6b10e165539aff32dd07ddd0f10c9cb8c3a143aff178f40340a4c13f65db59c3fc89995f83cf5df1efd41d57b23ba1e3fefdf8a77cd3 |