Analysis Overview
SHA256
f09db31ef6d4a6c18681d1785ae7b32a82afe818c44d7d5a338d454603f57ef8
Threat Level: Known bad
The file 558eaf7244e256612fd7234403ee9717_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Sandrorat family
Removes its main activity from the application launcher
Requests dangerous framework permissions
Acquires the wake lock
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 04:49
Signatures
Sandrorat family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 04:49
Reported
2024-10-18 04:52
Platform
android-x86-arm-20240624-en
Max time kernel
145s
Max time network
131s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | cda282f97eacf766e183cedc0595b3ab |
| SHA1 | b2c770cca12abed941311ceb4cc1a736814c67a4 |
| SHA256 | 05811aeba915982c8c0d0a16f7d4cc78cbecc7b5ac63286954b4dc6c5c0f396d |
| SHA512 | f0ca057153c0542687578a0bfcab6be6c018ac7cb2ac2fdb83df5f4b3c91e1bcd9971f8f8059395443e94582daf3db3a527cf836f463c7034d0875aca7ece3fe |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | f553d76d0e3fd64242b0834f349ef2fe |
| SHA1 | 26ebf0fbe2ee1bc0e6ee3b3f3381a2bf4b90144d |
| SHA256 | 2e41ce5542acec52b8e568ffb9bbce1dbc00ef5c3d2acddf2a316072fca59985 |
| SHA512 | af168732def9efd1c5323cb8b8fb869ef90f5718bced01f04c9bf86d581f06880d5ffb4d89c26092f3c250aeb81ac3dc6c60a445e6bbc7215160da2d30088f58 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | a8eef25be7cdbcd0142145a90f5c99ff |
| SHA1 | 0e35736d84ddc1ad965d49f1c3759f214f768342 |
| SHA256 | 94cc47ffa807a950482fbd4a46a277e76702de6745709306f5fa0558c02a7ec1 |
| SHA512 | f73f23833490c7f541b5bed72a902cd6095216c666a8a8928b9ac9521b41e55017cbb43b54af8df9dac850a08b1fed056d1a5b0da9f59c2bcc6869ddbeb9b2d8 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 29acf0201d9cebab0272336c05f660f6 |
| SHA1 | 1384e2eb169c52c5aa5ba4425b1ced0c4c0c75e7 |
| SHA256 | 7e32ebcea1d3c207ef6c38e4b160ac78f09948dd8bafdba704a9fd5d52eb4955 |
| SHA512 | 760457e6cb054e7a5d50636074ca9cd2898edb9ea84372103b4d1eb32752852865ac98d378e711d5682365bb29d530b1dbd5f8bd562026bc3ec39359dfe9be32 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 187bbf215acab96a1d111b486815cbd8 |
| SHA1 | 5287c44501815c7558fec9f5a102476a1d01b85f |
| SHA256 | 790210746595dfacb24d301124b1a82aab788d05696763b06d3da5d33832619a |
| SHA512 | 44d16ed7762dbab42f800f59d06aabf5ea479ba3041700936f021433ec50d18aad6342f54e09e72bcc74c8d3e2bddfa71cfbdb158679a851f8727e8426df4eea |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-wal
| MD5 | 37b0e4875f473f447e167a67e515254c |
| SHA1 | 8507bc37bcd543b5e5de9854145afcedcc67eac0 |
| SHA256 | ae87ba0b93f1b81929eef7c0ac54049247deef78e9c2b6c91d43a397a2038e91 |
| SHA512 | a73d94be411b619578e2536894d25190936434e45dd527521ee138f223ba84cce9cd086c987eae99bc011affc7291b2d7431e7d348d65f5446b70af68b20ecec |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 615fb167553201de276d16a3cb04f100 |
| SHA1 | 44b792bce1f8f54bd69cafec845692378f2f224e |
| SHA256 | 21c94f09e1cadbe9f610a9f56a5ba382c069ca0665a7b5135577000b34c98067 |
| SHA512 | 8bf3ed7745b1f59c79e2c290967d8b361e5c8bb83b3dc6dd0c79c773cb3c1e0f68e1eb52178df7a203f15c9271ce2ee5aac95ec4d8f9fd1e77dba8e4751a871d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 04:49
Reported
2024-10-18 04:52
Platform
android-x64-20240624-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
Files
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 95bf6a1f675eceb44bfd152179c382ae |
| SHA1 | 70cbf02e0216fed1a26ede0abb40f0309ac0431a |
| SHA256 | d384a3009ce66dcbe6c17553e73832675f1fcc60bc0894e8f731ba92d1fd5bd6 |
| SHA512 | 5b0d2d8673f9e500d6d522397c3a1cde47905974aa12da7e60e3580c1a35d3aaa222b1c64e78f378f12d37f026fa1d2edc4119c5d06c51f9878ef2df77f80aae |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | ab9b76032f3671e636504f620ed4d205 |
| SHA1 | 21e1e3ef5f95af48acdd224ef1f40ff12467521d |
| SHA256 | 4da0f7c511a540be366bd92014b6279194cf5da3c47ddb8acb48526f1ad967ab |
| SHA512 | 9e133dfb122855076eec7967f0e73fef6f8cdd655b32f9ee5d8cc7de1114212d10764839359b38b63e73772517910662109d87336a8507a99ca1085758841725 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 09f411c9c7278a02e10debcc5a251505 |
| SHA1 | f2a7c33a53d5c88e461ca8fc27a3b42cf237a25d |
| SHA256 | 0c415ec1063ec4469c97621e4da038ab84e3ccbe43763e3fdd99702cfa8a7570 |
| SHA512 | d7cffc064a0f6e81cc12a74bfded46e07e5442ed332d68ddac742576787c5e814939c927ec64b3a7ba1a8263fc36193995206b2b00c0e13996bc9bb7a5c24f80 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 4c3c4e821f5621ff8e0cb821a16ebf73 |
| SHA1 | ee5f3bcc15be0462e732bc032b904319e9de4179 |
| SHA256 | 92e3047946551857a664596e6705fe2444f1ce41b3b99b35512b8d3117455c3b |
| SHA512 | 0017afe384d09b7483e130660838fe52c4a8fbf37f2ca7eacc67f9b80408d2ec020723e46d8d006f93ecee3c078b65e7cec9220d000440b87de46e6e15ed20dc |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 6da727f4eb176462a98a016026615604 |
| SHA1 | 07457653b455ca0a0155602d9ba7f9359dfbea3e |
| SHA256 | b0bee6149ecb6e613b50db320bac67dc07fd632a359ab75835bdbdb4cbe750e7 |
| SHA512 | 192f80d635fb23def58c87f76388cb9b273c7fa32f3e482fcad47c1fd0bd7f548e6e726baa894f3062e4c29d4eca29457622639179e5f1922449bb71acbfb2b4 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 6fcf8bde665d6516b741aba0555e6dd8 |
| SHA1 | ceb84cfe5ef8eda669b80d9849adfcd1dadcdf68 |
| SHA256 | e06808d0f26d3f7c078373caf37b1fcb15fd7262d7cc9ad3057a130858e69fb2 |
| SHA512 | 94286235442797ac9531fb81e8d62a966def625a1792dbac8528a9409fe2bbb67099614b1f487253eca3c4bc1733e77df44cb81d605f0586cf32d715f7527718 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | ec022cff670c99c85c35251ccc27918a |
| SHA1 | 5388d1def093fa4b15fa990bf235a942cd6e0e22 |
| SHA256 | e5171bdeedd503d99713ca04d653ce5ad3c240dc6c8c80a49575352c07f16de2 |
| SHA512 | 25f5dc74987960a7d88076f637a321cbb00ae288f83eda4aa650aa31f03c9b656416c342514e74adae9b5bbd50fdb9ec932405474db0c4e082a812393161d5f3 |
/data/data/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 205286149bf6310628db2062dd6eea38 |
| SHA1 | 42e0d3cc8a9eee4a7301d9ccd35466488a8b7b92 |
| SHA256 | 94caa6d0d72974422eb22d54997bd748cc73b824d45d7413e00b0c6310395b04 |
| SHA512 | ea1525557b1699c82c4db2e958ef79c90ba0e58b2fafb0ce79fdfb20e5b17afacbf423207750895210345a99d9952c29bea0e99f6fb850f6505cb76088b8e917 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-18 04:49
Reported
2024-10-18 04:52
Platform
android-x64-arm64-20240624-en
Max time kernel
146s
Max time network
133s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
net.droidjack.server
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
| US | 1.1.1.1:53 | spectra.no-ip.biz | udp |
Files
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 08785786d6458a99eee5535151d7db86 |
| SHA1 | 44c8aaebdb36cd775c0edf4ce310874fef6c4cfb |
| SHA256 | a4fbd9681b666726847c17186968b230e17abdc72d28a93dbf34f59db6724f7d |
| SHA512 | f07ba360176670068368007bdf6a3fbd97034438b3df54bda8c7527e2ffd6005fa9ac2a0e91fa3d9614d45039dcfa574fcf9517d8fc46556f958e724996abf72 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 70ab0184149f2a2235ce82b245bb5c3a |
| SHA1 | ee3b0fbc494cf364705fddb1f3ff3503e4f70ffa |
| SHA256 | 27df39c9b9de413f6bc5ccd57272857ef5500c20ffc8b4e90e35088b3f4af80f |
| SHA512 | 52d291e398d4b4c5d754d02aa2afbce0b8f87c71b60ba5f29f2d6adc6f72318b97d7fc252fbb77a6cc721b6a7c0cf052c58ddd0648069bbeb5ab259089a22cd2 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 0bdfa241593db03095d9ff5f6cd585cd |
| SHA1 | 46d32e65c894846195afa28495a4320271e50bb2 |
| SHA256 | 1d196fe337bd4c077115bbaa52062434f59abf0bd31a1080844767761f070e87 |
| SHA512 | b64cf17bdcf47672106b8248b54e10a08cd1b1d24566668932f8d1766f73e4ea95d4e8591d021569892fe3acee4a6c0117d2b7348a390a3fa331567126055a1d |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | 98b656e8996ff49d9d6ccb6f274c7ec9 |
| SHA1 | b4b2448844a5ab32546bda21c22dd7279e93fe32 |
| SHA256 | 4a9e7f5d46bbf7dacb0e6d459e131e344621e3647aba19ee0a8a39218317c91f |
| SHA512 | cae3a5c2f99603499ac514708e2a5eeda9911c35a3d2e5b4c458a4a7b1059e5ff4273ce81f173eeb9cfa698b0a941352f2151c138ce50db71a117e8871b5f478 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | c2dbd8a9e24440e99780e594833ab27d |
| SHA1 | 727561f7ba3809fe553e2fe352d692b637d23d8f |
| SHA256 | 1cb81ef0d32b48e6cfe265a00f57e8bc46931ac8777a4b1eaabd825865e5ac8e |
| SHA512 | 919d5500644f5b729149b53a8fda4eab2dd1f189e51ae54434f2eb1ed29b171e3866e2ccbcdf603a149c7eaa85904a14351b57ed57521827b189afbba1b8bc88 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 28b8bda191908ae5fcfb96d9c12b386a |
| SHA1 | 2230874c0842d77b85b8213a9cf49fa87ba569e8 |
| SHA256 | eb6a9813e63536f12b352df4fad96259098f8a48b7323a697ccf4f0051c2f42a |
| SHA512 | e6bd50f0d6a6804e604c049f2fd6b5e8e0c15f331e2f19bdca98bd2acf670f3736a4937a1410fe7fa5dd7712d038e7b8d2558e46eaffc516446457972d450b81 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database-journal
| MD5 | e409a1ddf999395135b19d2f08a8bef2 |
| SHA1 | 8e411f57277b44070767ed71ae6566e89d044783 |
| SHA256 | ee9bf6ed13e978316ac279eaf6036660ad7687081112c2108146fedca681359b |
| SHA512 | 950e16b0cc7e0f160b7f4c658cbbbcc286226715dbd07d87f1fb3fc7d7ae3a8e0b6e20e047983032b99d4cb76387b3cf0aaa7f9ebdc4954530c95f10ffa69d25 |
/data/user/0/net.droidjack.server/databases/SandroRat_Configuration_Database
| MD5 | 556037c0f74575b01d8eccfeb0edef6c |
| SHA1 | 10a0fcdd1a054bfc2f1b9030a4d94557227d874c |
| SHA256 | b46b9e4defc8ca9da55491a3b8f03f274b3f6fc48d72921f53539cfd16c74b85 |
| SHA512 | baa691cfb30bb3469969593f80f217489ac22294181761206ea4569d649dc0ebed197d36fddec195b65e6b6df24790738fa426d8671599bd5ebc16dd10064b98 |