Analysis Overview
SHA256
ec2654fcdaa602671c65fcd7df97643ddc73732e6291b08c5d2db03f667d6a9e
Threat Level: Known bad
The file e640eb702de37deb80c0a763eb67dea6 was found to be: Known bad.
Malicious Activity Summary
Sandrorat family
Requests dangerous framework permissions
Acquires the wake lock
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-13 14:21
Signatures
Sandrorat family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-13 14:21
Reported
2024-09-13 14:23
Platform
android-x86-arm-20240624-en
Max time kernel
47s
Max time network
37s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | majdazar.ddns.net | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 3de3d85a9d3758f63c6a9bc53e3181e7 |
| SHA1 | b24defcae0d11424e5fa1715febb40c7ff9fc84b |
| SHA256 | 62c03b1662ef39afe7675409bc79b3beaa758e4e96ba9db3ddde92ed849c5f54 |
| SHA512 | a4d9a891c0a7c41033955940074427dae805dfc9bbfc8a632feac8ef7ce7c12192c5d21359f9241cee10587ebf38a1114e0e038ecf8d02e49ace39e0de29cd3f |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | f553d76d0e3fd64242b0834f349ef2fe |
| SHA1 | 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d |
| SHA256 | 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985 |
| SHA512 | af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 4f7f73dc48961867b7ef9c716624ee96 |
| SHA1 | dd7e2835e0fb015dec89bff196b7d9d3dda1621b |
| SHA256 | bb34f14361091d0b24d2725bf2dfedc0fb9dfdfded17fa6a0f65d9c21b7096ec |
| SHA512 | df8389985b2958d546968c570ec4d767a65cb588dc629e09688a5d502115959716f796105d50486b513f3d6fe7a95007142d094558cc8b3963710b799d1d90c6 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 40e54e5405dc055c3f588d8877e071c8 |
| SHA1 | ca1a030f2996d67e0fda9ae393a31fa977924b97 |
| SHA256 | 2c82250e3ced77a5d080b905b5b9bb76f5ed7fc20ad0b04f0bb67a89de4f4358 |
| SHA512 | b317515a53ed778c87cd74e8ea4b984de7daec8d0661b7a6b3cb50961b8efc78674c47f4c06bcf17d55e41b060ec5cd412dd1b66a38ddbf821a50b357b3a25e2 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 0d41e0b5617c42f8e693f51dc7970bde |
| SHA1 | 52bf2b951600d333456620865b67c8c13e6b28bf |
| SHA256 | f52f10dba92a2edac4c8363ca5c296cb41df47557bd325989b773ad5f3a8b29e |
| SHA512 | fc4ee04db8449c3f4f304d52716163cf378cca18bddd9555dcec0aecca44befe38f01eac353c635fa522186f1d4efaf73070ea9602552db856ab3a5552106332 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | ca28d7152264cec97a338cec3605f2e8 |
| SHA1 | 0d984b0ff42ac2ca5e50065c5f1a73f4d3c6a0e3 |
| SHA256 | 1000fd5b80b9660a6f758bf699e06c1cf4858bab1580d0ad9ecc68e1fd7c9077 |
| SHA512 | 93fc01a556b797753b1a07cf6e05240ed4e650bddfb3bdd76486adebfb636d816b16dae01f681004dfc5adba54dc0130cceaf3866118d6cd16ec56fcdac6a351 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | f46039eed4484cbdce3124b483293f94 |
| SHA1 | 603fd6b025cc75c9286b07599543d1902e5a0c90 |
| SHA256 | 1563ff8533afa3d38598e2c094ac3d53d513a23fe1df99089c2aaff06fe7b2f4 |
| SHA512 | 3e564bf1194210ba47c562212b15b6b402801dba0dcdbc2e565a1da3a93affec2f43870eb4e70dd9ace1b4564775fb635e9a2f694e9a09c82421f0dadfe2425d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-13 14:21
Reported
2024-09-13 14:23
Platform
android-x64-20240624-en
Max time kernel
47s
Max time network
57s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | majdazar.ddns.net | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 4c056f645e2bbb4851836eaabed83909 |
| SHA1 | 1c19c20eaf1d6c18400f2ac8ba04e3c90ed96f76 |
| SHA256 | 5b921f71af97a5e9f15b0aadaa0357c0d787fd6f006b80de1f03800a06f699e9 |
| SHA512 | f1a043d17c2f33756715b3d79d16ce4ddb09ccc89f796894b05a7922a4d47f3a25f60c80d3c877ac4152ff6a759869c9b2e9c5ceda3822b64219cd8c8eda0888 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | ab9b76032f3671e636504f620ed4d205 |
| SHA1 | 21e1e3ef5f95af48acdd224ef1f40ff12467521d |
| SHA256 | 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab |
| SHA512 | 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 1cc5b9b44a7593b1998488b980077075 |
| SHA1 | 06d4f4e0d5c42dd07a81392265f0aee8617239ea |
| SHA256 | 5581508ef356025fab11c34dffb33ee797d97aea20a2466340ea3fe2aa5243a5 |
| SHA512 | ff255a1cc749cb683d819a5003fe14208f168784a4d3fb4c79dde0370262fe9a406d525c99f1f50a12cf1933c66dc96acbd2e64225b3a4e9efa499b36c463473 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 3090a94e49cbd130e4874f283280bfe2 |
| SHA1 | 0681eff3da78ca3e7006402f10089e5af6758486 |
| SHA256 | 77adfe6cef9bf87060c9395311b3e79ac9e4b598d578bcd4ad61cbc27ae5df60 |
| SHA512 | b1ddb0ec926c1f6c99bb0749737109bbc05cea60c9ca391f56c306ed554dfa003f60601b82d5723e2d6482d90021fb47a6d1d8710ddb91235760a917a7ad3b50 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 0a62cfc05520a4be3c16130225178295 |
| SHA1 | 607460bcfeacc6cfdd5b2098ae92a2ff70a56cb0 |
| SHA256 | f98831e8a7a39d75264fa85e7c0c69acda19fa5c1233fce6638bc59f47b69002 |
| SHA512 | 16292f1a68476db7bc6a717b37b7c824ce40c69fea4151696494b7f58da9e2c7cfad58d33e1af7fe64e23e8861c49d8bb94f9aee881e9dc22027be77e3fd25f4 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | ba4ce7d301e236d7d2cce120476dda47 |
| SHA1 | 92d1ca2724f9e9b56d0e307f48389e0b7b3329b1 |
| SHA256 | 33842533915a2fde7e8b4e6e9739a21e5cec034b9957206471a6ba3e29bfb726 |
| SHA512 | 56bb1af96f619dbc83f0eea35d5be487d0f3f277f9b8c250258b020a00ddaa82b59064d1526f2691e22891a62a1b88da08d7149ea7a17efd549f0026066738e2 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 82f6d71b93a2a09a60d03f751252625d |
| SHA1 | 8d8339289b709b0c8249ead9a89fcadabbe3e8c0 |
| SHA256 | 7fcfea174154ab525583a90c6a96d758b1f0bd75ec9b6f3e6e529a50daf3b677 |
| SHA512 | 70b4b323b2423f2fb05c12dea127ca04a1e30e6b746dcb6154873cbbe83c73e38f9e96153d5a96134b67f05d3a7a4658ddf4541b79b92e571435fb83d76c79a1 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 905dfa1ddfcdf365a4e1683c582ea50b |
| SHA1 | bf398d31d5305b04074108816c7090e6813dc83c |
| SHA256 | b63f0e7320d81ea5efdc591410a16c9bfab454987161225b0d7430653bd12faf |
| SHA512 | 0bcbfd4f0a11983344966bc0a2f7e855dc28c6e746503a6196c9677bf953ebf8734d9a646241abc800d449b6e66da1f61f187cd5c9fcea05d6650ba730e096ff |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-13 14:21
Reported
2024-09-13 14:23
Platform
android-x64-arm64-20240624-en
Max time kernel
47s
Max time network
58s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | majdazar.ddns.net | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 74.125.206.84:443 | accounts.google.com | tcp |
Files
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 99fffb9a4215d3d0bb11cea5a16ad977 |
| SHA1 | e5dbe6bad8d592bd11bf15b0f96c1de179ee9fe0 |
| SHA256 | e10b1a31b8712365cfa4c4a54739475a5cd8bdc20dded0ba27c23d115cb93204 |
| SHA512 | f614c07b160c2eb37dad1b8563357688bde6c082629390fa1afdc38c6991c13ffc0036884ed7155bee6a9b1de6ecd962b9ba7c1d8acceab9d7b79f74d29dbfd6 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 70ab0184149f2a2235ce82b245bb5c3a |
| SHA1 | ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa |
| SHA256 | 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f |
| SHA512 | 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 302011fd9054231dd53d75f0d3dd8365 |
| SHA1 | f565db6c4b31fa0927980c7f21eb377b2fa8078d |
| SHA256 | 5f58c6043fe10eced4d111855124129539505a0cc8c7f27726292e4ba202be24 |
| SHA512 | c0eb7f17cf6d83e41e8cf39c57d6a86393f69b6aae090f49fffb67a7f8ba6b1ea49585d2c5e6b50773db331f0a05f83cb65ae2c333a8bfca4e55d2b955a8434b |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 7ac5135ff473cbb16c6fcb74a6a09f60 |
| SHA1 | f39e9e824bbe3e3a72b37dfbe05bcf81e831cd1c |
| SHA256 | e7835507e8e33b64d74d9d8e3d6a5256900dca6e17f309ea9040a3e12ca14f0c |
| SHA512 | 82276861fa6c9cf707da162d073741a1e92e4ff7fb28ee0904a9c18583487a0e6aca3e6845dec91c2101a174831022664508c4f659d10faecc1920e061899329 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | c0bcfe005df1caacfe7052ee178eb69a |
| SHA1 | bb303ee64ea5100d013bcfec544ae4f2a8ba7b9a |
| SHA256 | 38c81e0e1d0000e23c3b22d314b076905258313a5483bc8bcf2ced90e57e1daf |
| SHA512 | b7552790c56d0cf503bff322280e834b96085e2ec2deedbfdc96eb8833a8b0b160b7d8cf5cd3a28243065e01298980e2c68f2209efab258be0035cc733e8ae6c |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 221df4edf503c794f59438dcba2b4d8b |
| SHA1 | ef3b52db91785a1a0141331ede191fb08a520a80 |
| SHA256 | 02963339ef9d9a0e89c807f8ca1a1730dfc654b76d10bd39b0f5e5f73cba29f8 |
| SHA512 | d79919b49f16f8d390ad3e4669d240426300661319d65346ebe71a2d4611b2358ae3190f1897d0c5308b84314cd3a564b251137cbca1a3176d072d332a523ffa |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | dd73e47f3bd96351ea9676476715c44e |
| SHA1 | 2b2fa1d54e158a0ec9ab28db6341ec3f1972f914 |
| SHA256 | ddafa1ea6c7f4f3eb457d59c38d460abbe55aff31f820ae7fdd3cad79cc56a6e |
| SHA512 | cdb8148e510b4604a6e86a515e9d5d40bbe970f2a6a55ac8276a14344579ce6993085e3bd96389b0db8ae9efe25b50c82ac9f2d2ca80b933d27f79a50c254ec6 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 913f82854f2a390fd699fa21cdaa237b |
| SHA1 | 638e22f46fabfce72e427e741c54ffe689841e8a |
| SHA256 | 1eedb8780f1ea3dd123e33eccf42ae7360d92b541630eb97a15d2e3601412fa5 |
| SHA512 | 34534d4a366e57cd82fe6664bac38db45ef1ac6ad1a047af71300b32f6b6bbb210898e3b6bc7c20adccc2c58e75c5f41aca32ed137896ad40e0b9b75607412aa |