godfather | 6232b30398726350b704f677b2f5d5affa55dc04e0964f3e3dcdb3b41ea62c08

Resubmissions

09-11-2024 01:33

241109-byrd5svald 10

08-11-2024 23:23

241108-3dg4hsscnn 10

Analysis

max time kernel
132s
max time network
132s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
08-11-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6232b30398726350b704f677b2f5d5affa55dc04e0964f3e3dcdb3b41ea62c08.apk
Size

4.8MB
MD5

4f2da7f59fb05d5fd6f0cc60ceea644c
SHA1

425a1002be3fd68c5178dc84200c101b1af1b34b
SHA256

6232b30398726350b704f677b2f5d5affa55dc04e0964f3e3dcdb3b41ea62c08
SHA512

b3a1a92d8de5d716ec7821a8165a41e8c6cb932c770e4b7da434946a12237fa069f0a24ce269def2024de644948f0baaf3a5fbbf543d13e488c4623f1fd80d4f
SSDEEP

98304:ZlqBwojwhlJUORjOe2CspgFi6SW35zluCj55TBHUGNgMhZfkGGpO6LF:uglA1p96SWnukTB0GNgMshLF

Score

10^/10

godfather banker collection credential_access evasion impact infostealer trojan

Malware Config

Extracted

Family

godfather

https://t.me/fakapaparamokas

Signatures

GodFather
GodFather is an Android banking trojan targeting Turkish users first seen in March 2022.
banker trojan infostealer godfather
Godfather family
godfather

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.prizeable.ldx/app_mesh/foB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.prizeable.ldx/app_mesh/oat/x86/foB.odex --compiler-filter=quicken --class-loader-context=&com.prizeable.ldx

ioc	pid	process
/data/user/0/com.prizeable.ldx/app_mesh/foB.json	4275	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.prizeable.ldx/app_mesh/foB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.prizeable.ldx/app_mesh/oat/x86/foB.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.prizeable.ldx/app_mesh/foB.json	4248	com.prizeable.ldx

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.prizeable.ldx

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.prizeable.ldx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.prizeable.ldx

Acquires the wake lock 1 IoCs

Processes:

com.prizeable.ldx

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.prizeable.ldx
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.prizeable.ldx

ioc process

android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.prizeable.ldx
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.prizeable.ldx

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.prizeable.ldx

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.prizeable.ldx

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.prizeable.ldx

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.prizeable.ldx

com.prizeable.ldx
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Uses Crypto APIs (Might try to encrypt user data)
PID:4248
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.prizeable.ldx/app_mesh/foB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.prizeable.ldx/app_mesh/oat/x86/foB.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4275

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.prizeable.ldx/app_mesh/foB.json

Filesize
2.3MB

MD5
f7a50e10acc10cf7bf0c2b99699da83f

SHA1
aab764adcf304414841132bdea32628c48fa8fb5

SHA256
703f78d35240b846caac0a3c3a40043035846f13ae772c4974a02adc6d5a4f5c

SHA512
e75da50d462b99e697687a0e01612fc256bc2f089084c07cc4317f6eab42822b7366d64d51c5ec5b40248a61624cd5e8853d9d4a35134b097fc2448288354c21

Download Submit
/data/data/com.prizeable.ldx/app_mesh/foB.json

Filesize
2.3MB

MD5
5c92094bb2fcef05fe149f72fc2cd929

SHA1
a54b1fff30626901d9df1fd74058d20159b41b88

SHA256
864726f4967bd573f017264a694b9017e7ef06b25e0392fdf9cb678f6a784942

SHA512
373e48ffaa442b757492ff6efcf8a07cfe2098852eab216dea9222dcf654107dae624138ec4932394fb7baba055057112b93be5bbed9c1a7c71ebb72204d62a8

Download Submit
/data/data/com.prizeable.ldx/app_mesh/oat/foB.json.cur.prof

Filesize
1KB

MD5
255e2f6e06f7de6f685fda225a5e6262

SHA1
ea4d61a0dc99b34daa1ce51abf386c564ff18f44

SHA256
9c56518a1109a768b8cd5f3c91c204ed56ed4d2c1a924998a655771b58c25f76

SHA512
6af6cf82caf16feaa9f44c7711148996f07e82dabfb6fd3f318f1fa13c3290032a4bd10091592f9eb083f990e15747ae3aacb9899509944eab542d44b7f10c93

Download Submit
/data/user/0/com.prizeable.ldx/app_mesh/foB.json

Filesize
6.2MB

MD5
1388e4ae7ae7231f3a90acdbbd2d9a5d

SHA1
9006c44d06d5b875659e934e7d5cb1fb17b17464

SHA256
c7e6ae1df6cbc565d7e642481e8cfb4ae0c44f86265a45deacf9c62914c59825

SHA512
5c55b770380b1aeb5a939afaa9cf88dc7e890f6e11735f78a3b99a14357929b5867fc0595692c5c1da0d6ae3620110326a7089b54f55f2a59f1102d95537b63a

Download Submit