Analysis
-
max time kernel
131s -
max time network
149s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
08-11-2024 22:48
Static task
static1
Behavioral task
behavioral1
Sample
a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52.apk
Resource
android-x64-20240910-en
General
-
Target
a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52.apk
-
Size
5.0MB
-
MD5
a13a2d591eedd4e738f533f9f485c81a
-
SHA1
ff3e24ec7cdd0d1ea3aba47a20ccea8523a8b4b7
-
SHA256
a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52
-
SHA512
18591413d384818ca1ed3345c0d0841c59a2bfbea7f487d571ff36aaa0d4757224c4cb3e96fd2f319fc2cd74f72f5bd44b4f62a30b5c1409b136a0982445d5b6
-
SSDEEP
98304:3MqapZMg3WXUNlEN19i0w9+xGpusLnoivODzTPn5Dxvr1i7TVm:3MqaFkUNl5GxGBRqzJKVm
Malware Config
Extracted
godfather
https://t.me/akakemoraserak
Signatures
-
GodFather
GodFather is an Android banking trojan targeting Turkish users first seen in March 2022.
-
Godfather family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.drastic.daughter/app_kangaroo/tmff.json 4364 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.drastic.daughter/app_kangaroo/tmff.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.drastic.daughter/app_kangaroo/oat/x86/tmff.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.drastic.daughter/app_kangaroo/tmff.json 4337 com.drastic.daughter -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.drastic.daughter Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.drastic.daughter -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.drastic.daughter -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.drastic.daughter -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.drastic.daughter
Processes
-
com.drastic.daughter1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Uses Crypto APIs (Might try to encrypt user data)
PID:4337 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.drastic.daughter/app_kangaroo/tmff.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.drastic.daughter/app_kangaroo/oat/x86/tmff.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4364
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59e44be40414d31e2ac3d4945b0900a27
SHA18af312c8c86de29b524038cddfe656123d5b5d94
SHA25633a36b9416e69eb4b85715e42bc6eda5ba983e0e01c2a1cecb9684bff555c679
SHA512dabf0005e425fae7fd1ea2a86f6a7d37a3621838ade6bf53b5fa540c16fd0aca534799de1a8d7260e32d6d4ad07df2d05542a5006355c2eb239b4b4ba81f0842
-
Filesize
2.1MB
MD55b9604a622942597b43e5fc6b091c12e
SHA1da48f5891a14f3a11e841d578e80ae3012d285a2
SHA25651197406e62eb736b0ae4aefb1c0e2453638c05c50f029adaabadce8a7016d7b
SHA512ac18500c422aa65522df4ab242bd19425f8a388d404e26c989fd1805b3faeaf1c32f84ce3b4c765d4bd23c634e123fe7823adea4b25c2443bb134e084d0b4461
-
Filesize
2.1MB
MD547530598dd632922cbc5ae2d4101b7b1
SHA1529f2f30ee80a8f5fdb95df92ac63386daee1783
SHA256f7c73307746ebe1ff6b75ff8abddd91889b8dbac5f54b2ecd358a02bea6e8989
SHA512e763f9ced6292c21a8c15bc91ddd04f3e17042489dfd209e1e7d5aec58b247269dec4b7a3043bebc4d7972ce43d3a235cc0e204e5e7557c0949395ca252b9196
-
Filesize
5.6MB
MD542a0c8a992b583e778596f2a2a1a1b3a
SHA1b954e0790e34410ad2a0a6ca25640e8fe9786cff
SHA256bb20fefc4e7e45b4826af1dce23d7e7e996c1908a0f1be487004997a7e0c54c9
SHA512b8cfc9fdf6b87ab5b639fdf14282344932552ece5cc68594dad4e76440a2071b0701aac37898ee1c1e78cb817532ebfe5e7763bb021700488634b31c92698c6e