Malware Analysis Report

2024-10-16 05:07

Sample ID 240913-rn4jqatgra
Target e640eb702de37deb80c0a763eb67dea6
SHA256 ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e
Tags
sandrorat discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e

Threat Level: Known bad

The file e640eb702de37deb80c0a763eb67dea6 was found to be: Known bad.

Malicious Activity Summary

sandrorat discovery persistence

Sandrorat family

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 14:21

Signatures

Sandrorat family

sandrorat

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 14:21

Reported

2024-09-13 14:23

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

37s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 majdazar.ddns.net udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 3de3d85a9d3758f63c6a9bc53e3181e7
SHA1 b24defcae0d11424e5fa1715febb40c7ff9fc84b
SHA256 62c03b1662ef39afe7675409bc79b3beaa758e4e96ba9db3ddde92ed849c5f54
SHA512 a4d9a891c0a7c41033955940074427dae805dfc9bbfc8a632feac8ef7ce7c12192c5d21359f9241cee10587ebf38a1114e0e038ecf8d02e49ace39e0de29cd3f

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 f553d76d0e3fd64242b0834f349ef2fe
SHA1 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d
SHA256 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985
SHA512 af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 4f7f73dc48961867b7ef9c716624ee96
SHA1 dd7e2835e0fb015dec89bff196b7d9d3dda1621b
SHA256 bb34f14361091d0b24d2725bf2dfedc0fb9dfdfded17fa6a0f65d9c21b7096ec
SHA512 df8389985b2958d546968c570ec4d767a65cb588dc629e09688a5d502115959716f796105d50486b513f3d6fe7a95007142d094558cc8b3963710b799d1d90c6

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 40e54e5405dc055c3f588d8877e071c8
SHA1 ca1a030f2996d67e0fda9ae393a31fa977924b97
SHA256 2c82250e3ced77a5d080b905b5b9bb76f5ed7fc20ad0b04f0bb67a89de4f4358
SHA512 b317515a53ed778c87cd74e8ea4b984de7daec8d0661b7a6b3cb50961b8efc78674c47f4c06bcf17d55e41b060ec5cd412dd1b66a38ddbf821a50b357b3a25e2

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 0d41e0b5617c42f8e693f51dc7970bde
SHA1 52bf2b951600d333456620865b67c8c13e6b28bf
SHA256 f52f10dba92a2edac4c8363ca5c296cb41df47557bd325989b773ad5f3a8b29e
SHA512 fc4ee04db8449c3f4f304d52716163cf378cca18bddd9555dcec0aecca44befe38f01eac353c635fa522186f1d4efaf73070ea9602552db856ab3a5552106332

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 ca28d7152264cec97a338cec3605f2e8
SHA1 0d984b0ff42ac2ca5e50065c5f1a73f4d3c6a0e3
SHA256 1000fd5b80b9660a6f758bf699e06c1cf4858bab1580d0ad9ecc68e1fd7c9077
SHA512 93fc01a556b797753b1a07cf6e05240ed4e650bddfb3bdd76486adebfb636d816b16dae01f681004dfc5adba54dc0130cceaf3866118d6cd16ec56fcdac6a351

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 f46039eed4484cbdce3124b483293f94
SHA1 603fd6b025cc75c9286b07599543d1902e5a0c90
SHA256 1563ff8533afa3d38598e2c094ac3d53d513a23fe1df99089c2aaff06fe7b2f4
SHA512 3e564bf1194210ba47c562212b15b6b402801dba0dcdbc2e565a1da3a93affec2f43870eb4e70dd9ace1b4564775fb635e9a2f694e9a09c82421f0dadfe2425d

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 14:21

Reported

2024-09-13 14:23

Platform

android-x64-20240624-en

Max time kernel

47s

Max time network

57s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 majdazar.ddns.net udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 4c056f645e2bbb4851836eaabed83909
SHA1 1c19c20eaf1d6c18400f2ac8ba04e3c90ed96f76
SHA256 5b921f71af97a5e9f15b0aadaa0357c0d787fd6f006b80de1f03800a06f699e9
SHA512 f1a043d17c2f33756715b3d79d16ce4ddb09ccc89f796894b05a7922a4d47f3a25f60c80d3c877ac4152ff6a759869c9b2e9c5ceda3822b64219cd8c8eda0888

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 ab9b76032f3671e636504f620ed4d205
SHA1 21e1e3ef5f95af48acdd224ef1f40ff12467521d
SHA256 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab
SHA512 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 1cc5b9b44a7593b1998488b980077075
SHA1 06d4f4e0d5c42dd07a81392265f0aee8617239ea
SHA256 5581508ef356025fab11c34dffb33ee797d97aea20a2466340ea3fe2aa5243a5
SHA512 ff255a1cc749cb683d819a5003fe14208f168784a4d3fb4c79dde0370262fe9a406d525c99f1f50a12cf1933c66dc96acbd2e64225b3a4e9efa499b36c463473

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 3090a94e49cbd130e4874f283280bfe2
SHA1 0681eff3da78ca3e7006402f10089e5af6758486
SHA256 77adfe6cef9bf87060c9395311b3e79ac9e4b598d578bcd4ad61cbc27ae5df60
SHA512 b1ddb0ec926c1f6c99bb0749737109bbc05cea60c9ca391f56c306ed554dfa003f60601b82d5723e2d6482d90021fb47a6d1d8710ddb91235760a917a7ad3b50

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 0a62cfc05520a4be3c16130225178295
SHA1 607460bcfeacc6cfdd5b2098ae92a2ff70a56cb0
SHA256 f98831e8a7a39d75264fa85e7c0c69acda19fa5c1233fce6638bc59f47b69002
SHA512 16292f1a68476db7bc6a717b37b7c824ce40c69fea4151696494b7f58da9e2c7cfad58d33e1af7fe64e23e8861c49d8bb94f9aee881e9dc22027be77e3fd25f4

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 ba4ce7d301e236d7d2cce120476dda47
SHA1 92d1ca2724f9e9b56d0e307f48389e0b7b3329b1
SHA256 33842533915a2fde7e8b4e6e9739a21e5cec034b9957206471a6ba3e29bfb726
SHA512 56bb1af96f619dbc83f0eea35d5be487d0f3f277f9b8c250258b020a00ddaa82b59064d1526f2691e22891a62a1b88da08d7149ea7a17efd549f0026066738e2

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 82f6d71b93a2a09a60d03f751252625d
SHA1 8d8339289b709b0c8249ead9a89fcadabbe3e8c0
SHA256 7fcfea174154ab525583a90c6a96d758b1f0bd75ec9b6f3e6e529a50daf3b677
SHA512 70b4b323b2423f2fb05c12dea127ca04a1e30e6b746dcb6154873cbbe83c73e38f9e96153d5a96134b67f05d3a7a4658ddf4541b79b92e571435fb83d76c79a1

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 905dfa1ddfcdf365a4e1683c582ea50b
SHA1 bf398d31d5305b04074108816c7090e6813dc83c
SHA256 b63f0e7320d81ea5efdc591410a16c9bfab454987161225b0d7430653bd12faf
SHA512 0bcbfd4f0a11983344966bc0a2f7e855dc28c6e746503a6196c9677bf953ebf8734d9a646241abc800d449b6e66da1f61f187cd5c9fcea05d6650ba730e096ff

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-13 14:21

Reported

2024-09-13 14:23

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

58s

Command Line

net.droidjack.server

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 majdazar.ddns.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp

Files

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 99fffb9a4215d3d0bb11cea5a16ad977
SHA1 e5dbe6bad8d592bd11bf15b0f96c1de179ee9fe0
SHA256 e10b1a31b8712365cfa4c4a54739475a5cd8bdc20dded0ba27c23d115cb93204
SHA512 f614c07b160c2eb37dad1b8563357688bde6c082629390fa1afdc38c6991c13ffc0036884ed7155bee6a9b1de6ecd962b9ba7c1d8acceab9d7b79f74d29dbfd6

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 70ab0184149f2a2235ce82b245bb5c3a
SHA1 ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa
SHA256 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f
SHA512 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 302011fd9054231dd53d75f0d3dd8365
SHA1 f565db6c4b31fa0927980c7f21eb377b2fa8078d
SHA256 5f58c6043fe10eced4d111855124129539505a0cc8c7f27726292e4ba202be24
SHA512 c0eb7f17cf6d83e41e8cf39c57d6a86393f69b6aae090f49fffb67a7f8ba6b1ea49585d2c5e6b50773db331f0a05f83cb65ae2c333a8bfca4e55d2b955a8434b

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 7ac5135ff473cbb16c6fcb74a6a09f60
SHA1 f39e9e824bbe3e3a72b37dfbe05bcf81e831cd1c
SHA256 e7835507e8e33b64d74d9d8e3d6a5256900dca6e17f309ea9040a3e12ca14f0c
SHA512 82276861fa6c9cf707da162d073741a1e92e4ff7fb28ee0904a9c18583487a0e6aca3e6845dec91c2101a174831022664508c4f659d10faecc1920e061899329

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 c0bcfe005df1caacfe7052ee178eb69a
SHA1 bb303ee64ea5100d013bcfec544ae4f2a8ba7b9a
SHA256 38c81e0e1d0000e23c3b22d314b076905258313a5483bc8bcf2ced90e57e1daf
SHA512 b7552790c56d0cf503bff322280e834b96085e2ec2deedbfdc96eb8833a8b0b160b7d8cf5cd3a28243065e01298980e2c68f2209efab258be0035cc733e8ae6c

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 221df4edf503c794f59438dcba2b4d8b
SHA1 ef3b52db91785a1a0141331ede191fb08a520a80
SHA256 02963339ef9d9a0e89c807f8ca1a1730dfc654b76d10bd39b0f5e5f73cba29f8
SHA512 d79919b49f16f8d390ad3e4669d240426300661319d65346ebe71a2d4611b2358ae3190f1897d0c5308b84314cd3a564b251137cbca1a3176d072d332a523ffa

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 dd73e47f3bd96351ea9676476715c44e
SHA1 2b2fa1d54e158a0ec9ab28db6341ec3f1972f914
SHA256 ddafa1ea6c7f4f3eb457d59c38d460abbe55aff31f820ae7fdd3cad79cc56a6e
SHA512 cdb8148e510b4604a6e86a515e9d5d40bbe970f2a6a55ac8276a14344579ce6993085e3bd96389b0db8ae9efe25b50c82ac9f2d2ca80b933d27f79a50c254ec6

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 913f82854f2a390fd699fa21cdaa237b
SHA1 638e22f46fabfce72e427e741c54ffe689841e8a
SHA256 1eedb8780f1ea3dd123e33eccf42ae7360d92b541630eb97a15d2e3601412fa5
SHA512 34534d4a366e57cd82fe6664bac38db45ef1ac6ad1a047af71300b32f6b6bbb210898e3b6bc7c20adccc2c58e75c5f41aca32ed137896ad40e0b9b75607412aa