Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    08-11-2024 22:48

General

  • Target

    a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52.apk

  • Size

    5.0MB

  • MD5

    a13a2d591eedd4e738f533f9f485c81a

  • SHA1

    ff3e24ec7cdd0d1ea3aba47a20ccea8523a8b4b7

  • SHA256

    a0c2671f650c0c513398ae285bd0aa8226f620eb7750b54513f7bc3fb9cc2b52

  • SHA512

    18591413d384818ca1ed3345c0d0841c59a2bfbea7f487d571ff36aaa0d4757224c4cb3e96fd2f319fc2cd74f72f5bd44b4f62a30b5c1409b136a0982445d5b6

  • SSDEEP

    98304:3MqapZMg3WXUNlEN19i0w9+xGpusLnoivODzTPn5Dxvr1i7TVm:3MqaFkUNl5GxGBRqzJKVm

Malware Config

Extracted

Family

godfather

C2

https://t.me/akakemoraserak

Signatures

  • GodFather

    GodFather is an Android banking trojan targeting Turkish users first seen in March 2022.

  • Godfather family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.drastic.daughter
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4337
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.drastic.daughter/app_kangaroo/tmff.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.drastic.daughter/app_kangaroo/oat/x86/tmff.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4364

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.drastic.daughter/app_kangaroo/oat/tmff.json.cur.prof

    Filesize

    4KB

    MD5

    9e44be40414d31e2ac3d4945b0900a27

    SHA1

    8af312c8c86de29b524038cddfe656123d5b5d94

    SHA256

    33a36b9416e69eb4b85715e42bc6eda5ba983e0e01c2a1cecb9684bff555c679

    SHA512

    dabf0005e425fae7fd1ea2a86f6a7d37a3621838ade6bf53b5fa540c16fd0aca534799de1a8d7260e32d6d4ad07df2d05542a5006355c2eb239b4b4ba81f0842

  • /data/data/com.drastic.daughter/app_kangaroo/tmff.json

    Filesize

    2.1MB

    MD5

    5b9604a622942597b43e5fc6b091c12e

    SHA1

    da48f5891a14f3a11e841d578e80ae3012d285a2

    SHA256

    51197406e62eb736b0ae4aefb1c0e2453638c05c50f029adaabadce8a7016d7b

    SHA512

    ac18500c422aa65522df4ab242bd19425f8a388d404e26c989fd1805b3faeaf1c32f84ce3b4c765d4bd23c634e123fe7823adea4b25c2443bb134e084d0b4461

  • /data/data/com.drastic.daughter/app_kangaroo/tmff.json

    Filesize

    2.1MB

    MD5

    47530598dd632922cbc5ae2d4101b7b1

    SHA1

    529f2f30ee80a8f5fdb95df92ac63386daee1783

    SHA256

    f7c73307746ebe1ff6b75ff8abddd91889b8dbac5f54b2ecd358a02bea6e8989

    SHA512

    e763f9ced6292c21a8c15bc91ddd04f3e17042489dfd209e1e7d5aec58b247269dec4b7a3043bebc4d7972ce43d3a235cc0e204e5e7557c0949395ca252b9196

  • /data/user/0/com.drastic.daughter/app_kangaroo/tmff.json

    Filesize

    5.6MB

    MD5

    42a0c8a992b583e778596f2a2a1a1b3a

    SHA1

    b954e0790e34410ad2a0a6ca25640e8fe9786cff

    SHA256

    bb20fefc4e7e45b4826af1dce23d7e7e996c1908a0f1be487004997a7e0c54c9

    SHA512

    b8cfc9fdf6b87ab5b639fdf14282344932552ece5cc68594dad4e76440a2071b0701aac37898ee1c1e78cb817532ebfe5e7763bb021700488634b31c92698c6e