Malware Analysis Report

2024-10-16 05:07

Sample ID 240817-pk1ybavfjg
Target bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40.apk
SHA256 bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40
Tags
sandrorat discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40

Threat Level: Known bad

The file bc850c692e84f67ec59c08e6e893e479b6b1a24a5b4097dfa3c70396c9bb9b40.apk was found to be: Known bad.

Malicious Activity Summary

sandrorat discovery persistence

Sandrorat family

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 12:24

Signatures

Sandrorat family

sandrorat

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 12:24

Reported

2024-08-17 12:27

Platform

android-x86-arm-20240624-en

Max time kernel

165s

Max time network

137s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googlesettings.system.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 03d2ddcfe39e53c4ccfef1e7025da9ad
SHA1 a5605c354b167969d19564704d1e7c4d36dc90ad
SHA256 c6ae97415c196180ab0bddd6c7e90d5a0ebdc9dc8a4de2deba8c981a6e19daf9
SHA512 92ac9193ed83d327e59364ddc50454592baf86c15858bef17c0f9a464cbc31ddf7f2df1e7d461eb084db3e092cb839362d1a933676d9a057eb50fea0c06ddfb5

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 f553d76d0e3fd64242b0834f349ef2fe
SHA1 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d
SHA256 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985
SHA512 af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 70e0774841b5d163c5e786b19fc3c9e2
SHA1 258869a444daf75fde174cb307580bf75e14396f
SHA256 023b9360989b75a8be5a157e0ab53b36d58c2dd2b4b9866abedfa360fbb420aa
SHA512 f0ed1fc9b795166acd075756a62f1a13addccb337ad701577d36ae18967c30f405c04dbbb91643941f65e99c85212e2ba75c9a68765c59c73f70f483ce6df231

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 172bb3559d34bcf56441bc5507519b12
SHA1 7b659235c0ef35fcb1594923b3e7cab0eb904512
SHA256 2c1fe5d4ee45f89b0d47d2d956417c13961ec7d3970eb718d715a6fa53b9f973
SHA512 0b9b7b8aba2b8151deb6c48ff062e8e634be0d9d874980e080aa4dd5fa28933416aa35300d733e6bd6f99d2508fce5ad5b445e7df4ab92ea06f952b2e2fbe4f9

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 366dcd0101303feb8e6d3b5f30a6e02a
SHA1 057d117b04ecfe1bba14df1e1283eae319047d16
SHA256 82cd3095d30a0499fe732a916c2d661a3ed16027c8986ca83119eaa3bd43476c
SHA512 c54eb01d949e2a19a34fb5017fb8927138436a6887010cd986d3a6dabe4860c77e26322854af2094710d728d2c3061fce67ed0f491d9f34df925be12123b8940

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 999910cf62fc0abe15e11fb276a4e10b
SHA1 910f688abde4cd693ee22fd400e9623b80d41dc8
SHA256 ced69d35cbb4344257c06ccdbad0b7c25a05e9c7124e03fa77ee63503073ec61
SHA512 d8c8fae1da6cef3578e54bade2347f8e9daaca6ca4bbe7db06a33d7c06e11a228e05395aae054482a7a6a17d59aa29330e6b9d1bc4fee9ad454403cb245d4179

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 225ff2943f069280fb3c94a1da4d2783
SHA1 f147f4c474f61b5033314e9e2628c87b857b40d2
SHA256 1330a0185f0ce94f7458d214932319612b0ffd4e6824dfcd749b037f585e8d5f
SHA512 4dbfb833e9127ceb9d5d00cb5cf4eb1dc15daa687a60a04de427824e88dd2e76f38df972967b2c2ec31dff0efa1bafbd92f74e931336e883e23a86315b60799b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 12:24

Reported

2024-08-17 12:24

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

23s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googlesettings.system.net udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 0e36370c7388fb8caf288b809f7bbc46
SHA1 3d2e641e1738b0e6a732bdcb2b04c6394a3bcec6
SHA256 ef973a23566b540686e436a0a657f668fc7a17bfac8cb3696bd7abdb0be51bd3
SHA512 afee1bcef5f81c0d2fb9ae6759f6bcc286e85353e8f03acb8b17027da7c58991cc9cc2fba729d56aff8055f4e79539cde7e401ef906a77834771d4ff0b54538f

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 ab9b76032f3671e636504f620ed4d205
SHA1 21e1e3ef5f95af48acdd224ef1f40ff12467521d
SHA256 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab
SHA512 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 100affd0465a4addb285574e6022cb42
SHA1 8e6896f48a19669bbd1869ff1b017a7eae5962e2
SHA256 585a5771e79d2bedbd79c898a85c2689c65fb88eb33ee3e81f884a1eb5b214cd
SHA512 7f5f4b9e24f8ba015432220a33844ace53e87dc0d2022e42b0a66884367c38d446c26fda2653e483f85238021f5d451afa5ba4203e03c28f0145ad4018835207

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 d091be3fe27f61b104b887ed7f7557cf
SHA1 9ba8693b95d4552047b2b2afc5818ff039c88105
SHA256 c8e82f19cec1af2968004772161f1210baf282293d1d2e72e97a08db08cada7c
SHA512 1906c91a8827cb709c3962069e739c5165b36533f2752043c07e8ce4d82501a323da95a4bbfcb28897f78906a1a05675f1e3599fc0c8e49d2a0d1451d93580d1

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 38643035c1e124fe44c8efb74304898f
SHA1 d8e3304efbd791396cec78504453c781db8c39b9
SHA256 f8dc0d9ddd6c6987b55c4f47517d31af5e1b62cfd4ea566682c22298c7db8cc6
SHA512 268aebfdaf3fc32ed53d07467ee88ecc272cd00982c29511e78d5ff222630df44712fce770c1fe0b7c13fbefdcfd75bef63aea25b1dc92aea3d335052bf7ed1a

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 21cc619a1a864ee67061805e7c2212fd
SHA1 9e7f72def852059017b649e9ca81ecb022b7fe65
SHA256 42d8efcb7f308fa14dd407336f6032418452c0989687ab41f4010ed5b2499240
SHA512 46850b69e173021667efc89981c77819ff253dba429447a1279637d343d30116f865f1753fa1664ff3e7ae1395efb52086886e6fff240dd91d004443e1ee3bf5

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 b0ef47bb16a922a86cbb369aa885f7ec
SHA1 e308f1b540842461b2c07b1279cc00c7ec37850a
SHA256 f60e7d3725e8f98c205868d29bbf8fa20f0b14fef87d1b32821ae68bf9962396
SHA512 29749a2d0f57f2fc9eb45808deb5f18a6f9079a9d18c788414df3441aac249caa768c9a5c5f1ced9466647c87f4959948474d70499ebfbaa765421e0bebe5962

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 30c5534cc8e193d6d44d7f88cf958b70
SHA1 0bd575b2d455d6312f5c03d66f1c98c1636481f4
SHA256 d9053d1f628d3c65bf30ce45e82d2c0bec1fdc1506537b9d9903ac881707054c
SHA512 3223db8fa8f50069c5ac9d223c9c2a881c308cbbbbf62ab0329beeb693171995e4752aaa0e755a6352ee2152689cd361220dba4900154e57e4f0a1f3958a5330

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-17 12:24

Reported

2024-08-17 12:27

Platform

android-x64-arm64-20240624-en

Max time kernel

165s

Max time network

132s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 googlesettings.system.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 aaf94dc218a99c2cd57e8b71c327ff52
SHA1 2775b3ad171423384cf03cbc05dcdc9ce6427090
SHA256 57a9e8bdbec7cc8d6ea18b176c3484ef5752dbfb822522140af0446c24d04307
SHA512 7693adcd3aeadfdf6aad892c72862adf6f9a88fd697f44fcbfb7ff813af02b3b01bb2fe31a453f3f0eac16224c8f002d0f5ac386ac7e3b73181f8bbccb8de048

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 70ab0184149f2a2235ce82b245bb5c3a
SHA1 ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa
SHA256 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f
SHA512 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 97d14c8cf5a681960d1ae5af803a9614
SHA1 b59bdc48aa157c41c4434a50cbe72ad839fd6f51
SHA256 f41bf013611d35e6f2f4c2c8d01917dc44a45ad46d82ad1661492459d7e939ba
SHA512 faf2bdd538c2c764b9ef4567e3d1ad4f8d25a0099355fecf82f6de99fdbc5613f629553467bf2873c28f5aed9366a2b2e96db31af4ad34ad7fc54f68415275e3

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 9cf326c9af29ceff3bd76b029c6cccf1
SHA1 f7d30183cd1e631d013fc15851501aa26e9ab81f
SHA256 6a50db189bba7c0e0bd80fb7d58f1bcc9741133b10f4a7ea74eab8535aeea9da
SHA512 3ee6fd28e4dbbc9c86febb5a293400fc5484e168bde3f3848c7a3dd4d67640e4e2b4b8b394bb74b351a666d9a668a26422bd447b2c0d6401b45894879cebe74e

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 8527992e5713b6f2298520380249c0b0
SHA1 e462f450329602c1ee005c4a671c0d522d35440b
SHA256 62163ccc07f699233f06f37418d032cf9c30c34a435189c3a93231507f0aaf3d
SHA512 122881a708d4e09f23f64cefbe29decc965efde96d875369b2a44a1cd04f3dbea5b0a61db1339f36165efa74914799454a8a14e343a6f019df25e055ff2d4e06

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 5ff57eaff21a61e6c539403d044c216f
SHA1 d882d19392531546bee0a088fa5c90ed81ac670d
SHA256 2a49060e3e67e20275aa13cde1ca5f26a5827f2661dd5fc61f0de64ddc1d627d
SHA512 4bb310dfaaeb7248f8400c40b0c5f5223eb34f87d809675f6a115a09c3944b7f2296d6f13a59dd3ddcc035c3a76f37c286fac998e1e89d76620b71b0c12d37a4

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 38b08c774dbfbdc3216435a17c5dc8b6
SHA1 88fff1091410f98dd3bca859bacedef19b504d2f
SHA256 1705ef856bfc00be07a097a49616a5b2a2875a98622cbac23dbb1ec797c5983a
SHA512 0b7eaa0c69864fce7829b6517da802e2ed9e809b9648e2f10cc6ebb4924a65659d48cecc26c7d6b2c8069ba590c06fb2e03710adff83728a015c372ea967b5a9

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 a4563f10ffe669a561190f6813c78488
SHA1 36d046cdc9f8ec5e2f8a4457d6e1dd9fdf93d625
SHA256 db70be1b56ff21ee509df483f1c2cc7ef488eadfc1152399b3951677480010a3
SHA512 7c604dbcfe5614ef93fe6b10e165539aff32dd07ddd0f10c9cb8c3a143aff178f40340a4c13f65db59c3fc89995f83cf5df1efd41d57b23ba1e3fefdf8a77cd3