Malware Analysis Report

2024-10-24 20:52

Sample ID 241018-ffwy5ayape
Target 558eaf7244e256612fd7234403ee9717_JaffaCakes118
SHA256 f09db31ef6d4a6c18681d1785ae7b32a82afe818c44d7d5a338d454603f57ef8
Tags
sandrorat discovery evasion persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f09db31ef6d4a6c18681d1785ae7b32a82afe818c44d7d5a338d454603f57ef8

Threat Level: Known bad

The file 558eaf7244e256612fd7234403ee9717_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sandrorat discovery evasion persistence stealth trojan

Sandrorat family

Removes its main activity from the application launcher

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 04:49

Signatures

Sandrorat family

sandrorat

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 04:49

Reported

2024-10-18 04:52

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

131s

Command Line

net.droidjack.server

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 spectra.no-ip.biz udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 spectra.no-ip.biz udp
US 1.1.1.1:53 spectra.no-ip.biz udp
US 1.1.1.1:53 spectra.no-ip.biz udp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 cda282f97eacf766e183cedc0595b3ab
SHA1 b2c770cca12abed941311ceb4cc1a736814c67a4
SHA256 05811aeba915982c8c0d0a16f7d4cc78cbecc7b5ac63286954b4dc6c5c0f396d
SHA512 f0ca057153c0542687578a0bfcab6be6c018ac7cb2ac2fdb83df5f4b3c91e1bcd9971f8f8059395443e94582daf3db3a527cf836f463c7034d0875aca7ece3fe

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 f553d76d0e3fd64242b0834f349ef2fe
SHA1 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d
SHA256 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985
SHA512 af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 a8eef25be7cdbcd0142145a90f5c99ff
SHA1 0e35736d84ddc1ad965d49f1c3759f214f768342
SHA256 94cc47ffa807a950482fbd4a46a277e76702de6745709306f5fa0558c02a7ec1
SHA512 f73f23833490c7f541b5bed72a902cd6095216c666a8a8928b9ac9521b41e55017cbb43b54af8df9dac850a08b1fed056d1a5b0da9f59c2bcc6869ddbeb9b2d8

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 29acf0201d9cebab0272336c05f660f6
SHA1 1384e2eb169c52c5aa5ba4425b1ced0c4c0c75e7
SHA256 7e32ebcea1d3c207ef6c38e4b160ac78f09948dd8bafdba704a9fd5d52eb4955
SHA512 760457e6cb054e7a5d50636074ca9cd2898edb9ea84372103b4d1eb32752852865ac98d378e711d5682365bb29d530b1dbd5f8bd562026bc3ec39359dfe9be32

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 187bbf215acab96a1d111b486815cbd8
SHA1 5287c44501815c7558fec9f5a102476a1d01b85f
SHA256 790210746595dfacb24d301124b1a82aab788d05696763b06d3da5d33832619a
SHA512 44d16ed7762dbab42f800f59d06aabf5ea479ba3041700936f021433ec50d18aad6342f54e09e72bcc74c8d3e2bddfa71cfbdb158679a851f8727e8426df4eea

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal

MD5 37b0e4875f473f447e167a67e515254c
SHA1 8507bc37bcd543b5e5de9854145afcedcc67eac0
SHA256 ae87ba0b93f1b81929eef7c0ac54049247deef78e9c2b6c91d43a397a2038e91
SHA512 a73d94be411b619578e2536894d25190936434e45dd527521ee138f223ba84cce9cd086c987eae99bc011affc7291b2d7431e7d348d65f5446b70af68b20ecec

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 615fb167553201de276d16a3cb04f100
SHA1 44b792bce1f8f54bd69cafec845692378f2f224e
SHA256 21c94f09e1cadbe9f610a9f56a5ba382c069ca0665a7b5135577000b34c98067
SHA512 8bf3ed7745b1f59c79e2c290967d8b361e5c8bb83b3dc6dd0c79c773cb3c1e0f68e1eb52178df7a203f15c9271ce2ee5aac95ec4d8f9fd1e77dba8e4751a871d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 04:49

Reported

2024-10-18 04:52

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

148s

Command Line

net.droidjack.server

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 spectra.no-ip.biz udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 spectra.no-ip.biz udp
US 1.1.1.1:53 spectra.no-ip.biz udp

Files

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 95bf6a1f675eceb44bfd152179c382ae
SHA1 70cbf02e0216fed1a26ede0abb40f0309ac0431a
SHA256 d384a3009ce66dcbe6c17553e73832675f1fcc60bc0894e8f731ba92d1fd5bd6
SHA512 5b0d2d8673f9e500d6d522397c3a1cde47905974aa12da7e60e3580c1a35d3aaa222b1c64e78f378f12d37f026fa1d2edc4119c5d06c51f9878ef2df77f80aae

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 ab9b76032f3671e636504f620ed4d205
SHA1 21e1e3ef5f95af48acdd224ef1f40ff12467521d
SHA256 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab
SHA512 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 09f411c9c7278a02e10debcc5a251505
SHA1 f2a7c33a53d5c88e461ca8fc27a3b42cf237a25d
SHA256 0c415ec1063ec4469c97621e4da038ab84e3ccbe43763e3fdd99702cfa8a7570
SHA512 d7cffc064a0f6e81cc12a74bfded46e07e5442ed332d68ddac742576787c5e814939c927ec64b3a7ba1a8263fc36193995206b2b00c0e13996bc9bb7a5c24f80

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 4c3c4e821f5621ff8e0cb821a16ebf73
SHA1 ee5f3bcc15be0462e732bc032b904319e9de4179
SHA256 92e3047946551857a664596e6705fe2444f1ce41b3b99b35512b8d3117455c3b
SHA512 0017afe384d09b7483e130660838fe52c4a8fbf37f2ca7eacc67f9b80408d2ec020723e46d8d006f93ecee3c078b65e7cec9220d000440b87de46e6e15ed20dc

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 6da727f4eb176462a98a016026615604
SHA1 07457653b455ca0a0155602d9ba7f9359dfbea3e
SHA256 b0bee6149ecb6e613b50db320bac67dc07fd632a359ab75835bdbdb4cbe750e7
SHA512 192f80d635fb23def58c87f76388cb9b273c7fa32f3e482fcad47c1fd0bd7f548e6e726baa894f3062e4c29d4eca29457622639179e5f1922449bb71acbfb2b4

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 6fcf8bde665d6516b741aba0555e6dd8
SHA1 ceb84cfe5ef8eda669b80d9849adfcd1dadcdf68
SHA256 e06808d0f26d3f7c078373caf37b1fcb15fd7262d7cc9ad3057a130858e69fb2
SHA512 94286235442797ac9531fb81e8d62a966def625a1792dbac8528a9409fe2bbb67099614b1f487253eca3c4bc1733e77df44cb81d605f0586cf32d715f7527718

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 ec022cff670c99c85c35251ccc27918a
SHA1 5388d1def093fa4b15fa990bf235a942cd6e0e22
SHA256 e5171bdeedd503d99713ca04d653ce5ad3c240dc6c8c80a49575352c07f16de2
SHA512 25f5dc74987960a7d88076f637a321cbb00ae288f83eda4aa650aa31f03c9b656416c342514e74adae9b5bbd50fdb9ec932405474db0c4e082a812393161d5f3

/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 205286149bf6310628db2062dd6eea38
SHA1 42e0d3cc8a9eee4a7301d9ccd35466488a8b7b92
SHA256 94caa6d0d72974422eb22d54997bd748cc73b824d45d7413e00b0c6310395b04
SHA512 ea1525557b1699c82c4db2e958ef79c90ba0e58b2fafb0ce79fdfb20e5b17afacbf423207750895210345a99d9952c29bea0e99f6fb850f6505cb76088b8e917

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 04:49

Reported

2024-10-18 04:52

Platform

android-x64-arm64-20240624-en

Max time kernel

146s

Max time network

133s

Command Line

net.droidjack.server

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

net.droidjack.server

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 spectra.no-ip.biz udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 spectra.no-ip.biz udp
US 1.1.1.1:53 spectra.no-ip.biz udp

Files

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 08785786d6458a99eee5535151d7db86
SHA1 44c8aaebdb36cd775c0edf4ce310874fef6c4cfb
SHA256 a4fbd9681b666726847c17186968b230e17abdc72d28a93dbf34f59db6724f7d
SHA512 f07ba360176670068368007bdf6a3fbd97034438b3df54bda8c7527e2ffd6005fa9ac2a0e91fa3d9614d45039dcfa574fcf9517d8fc46556f958e724996abf72

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 70ab0184149f2a2235ce82b245bb5c3a
SHA1 ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa
SHA256 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f
SHA512 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 0bdfa241593db03095d9ff5f6cd585cd
SHA1 46d32e65c894846195afa28495a4320271e50bb2
SHA256 1d196fe337bd4c077115bbaa52062434f59abf0bd31a1080844767761f070e87
SHA512 b64cf17bdcf47672106b8248b54e10a08cd1b1d24566668932f8d1766f73e4ea95d4e8591d021569892fe3acee4a6c0117d2b7348a390a3fa331567126055a1d

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 98b656e8996ff49d9d6ccb6f274c7ec9
SHA1 b4b2448844a5ab32546bda21c22dd7279e93fe32
SHA256 4a9e7f5d46bbf7dacb0e6d459e131e344621e3647aba19ee0a8a39218317c91f
SHA512 cae3a5c2f99603499ac514708e2a5eeda9911c35a3d2e5b4c458a4a7b1059e5ff4273ce81f173eeb9cfa698b0a941352f2151c138ce50db71a117e8871b5f478

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 c2dbd8a9e24440e99780e594833ab27d
SHA1 727561f7ba3809fe553e2fe352d692b637d23d8f
SHA256 1cb81ef0d32b48e6cfe265a00f57e8bc46931ac8777a4b1eaabd825865e5ac8e
SHA512 919d5500644f5b729149b53a8fda4eab2dd1f189e51ae54434f2eb1ed29b171e3866e2ccbcdf603a149c7eaa85904a14351b57ed57521827b189afbba1b8bc88

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 28b8bda191908ae5fcfb96d9c12b386a
SHA1 2230874c0842d77b85b8213a9cf49fa87ba569e8
SHA256 eb6a9813e63536f12b352df4fad96259098f8a48b7323a697ccf4f0051c2f42a
SHA512 e6bd50f0d6a6804e604c049f2fd6b5e8e0c15f331e2f19bdca98bd2acf670f3736a4937a1410fe7fa5dd7712d038e7b8d2558e46eaffc516446457972d450b81

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal

MD5 e409a1ddf999395135b19d2f08a8bef2
SHA1 8e411f57277b44070767ed71ae6566e89d044783
SHA256 ee9bf6ed13e978316ac279eaf6036660ad7687081112c2108146fedca681359b
SHA512 950e16b0cc7e0f160b7f4c658cbbbcc286226715dbd07d87f1fb3fc7d7ae3a8e0b6e20e047983032b99d4cb76387b3cf0aaa7f9ebdc4954530c95f10ffa69d25

/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database

MD5 556037c0f74575b01d8eccfeb0edef6c
SHA1 10a0fcdd1a054bfc2f1b9030a4d94557227d874c
SHA256 b46b9e4defc8ca9da55491a3b8f03f274b3f6fc48d72921f53539cfd16c74b85
SHA512 baa691cfb30bb3469969593f80f217489ac22294181761206ea4569d649dc0ebed197d36fddec195b65e6b6df24790738fa426d8671599bd5ebc16dd10064b98