Decrypting the Daam Malware: A Deep Dive Analysis of the Daam Malware Having Ransomware Capabilities

In this article, we will delve into the details of Daam Malware, a new threat that has ransomware capabilities. We will explore its origins, modus operandi, and ways to protect yourself from this malware. Read on to learn more.
Updated on
April 25, 2023
Published on
April 25, 2023
Subscribe to the latest industry news, threats and resources.

  • Category: Malware Intelligence
  • Region: Global

Executive Summary

On 17 April 2023, CloudSEK’s Threat Intelligence Research Team discovered a newly emerged malware, titled ‘Daam’. The malware was found to be communicating with various Android APK files, likely indicating the source of infection. While writing this report, two C2 panels were found operating on the following IPs:

  • 84[.]234[.]96[.]117[:]3000/#/login
  • 192[.]99[.]251[.]51[:]3000/#/login

The WebSocket associated with the above IP can be found at the following URL: hxxp[:]//192[.]99[.]251[.]51[:]3000/socket[.]io/?EIO=3&transport=websocket&sid=H1j-nXwa-LRJNA2AACsl

Note:Interestingly, this malware was also observed to have ransomware capabilities since it encrypts the files using AES algorithms present in the root directory and SD card and drops a ‘readme_now.txt’ file.

Screenshot of the C2 panel of the Daam malware

Open Web Analysis

After analyzing the IP address (192[.]99[.]251[.]51) of the C2 panel using the Open Web, it was discovered that the panel was in communication with several APK files that had been recently uncovered.

Screenshot showing the C2 panel communicating with different APKs

While writing this report, CloudSEK researchers observed multiple websites offering free versions of these applications while some of them are already being marked as malicious/suspicious on various online sandboxing platforms. As of the time of writing this report, the applications detected on some of these platforms were added as recently as 3 days ago, coinciding with the date of detection of the C2 panel.

List of Websites Distributing The APKs

About the Malicious APKs

A simple Google search about the applications provided the following descriptions about them:

  • Psiphon Client for Android and Windows: Psiphon is circumvention software for Windows and Mobile platforms that provides uncensored access to Internet content.
  • Boulders: Boulders is a game where your main aim is to grab all the treasure from a mine and make it out alive.
  • Currency Pro: Currency Pro is a currency converter that provides the world's foreign currency conversion rates.

Technical Analysis

Upon investigation, the CloudSEK research team discovered that the aforementioned three applications are utilizing a common malicious package file named "". These trojanized applications were being used to distribute the Daam malware. Although the analyzed samples do not exhibit any malicious behavior, the specific packages utilizing this file are engaging in malicious activities such as retrieving the name of Google accounts, recording phone, VoIP calls, and audio, gaining access to the camera, modifying the device password, accessing contact lists, capturing screenshots, stealing SMS messages, taking Chrome browser bookmarks, downloading/uploading files, encrypting files utilizing the AES algorithm, etc.

To Note:

During the dynamic analysis of the malware, it was noticed that the malware, once installed on the victim's device, conducted environment-related checks that limited its full functionality. These checks were triggered when the malware sent a request to the Command and Control (C2) server using the WebSocket protocol, and the request was configured based on the victim's device configuration.

Device information exfiltration by the malware in the background

Permissions Requested by the Malware

Once installed on an Android device, the malicious applications are granted access to highly sensitive permissions including RECORD_AUDIO, READ_HISTORY_BOOKMARK, KILL_BACKGROUND_PROCESSES, and READ_CALL_LOGS.

User permissions of a sensitive nature that have been requested by the malicious application

Features of the Malware

Security Checks Bypass

The malware is capable of circumventing security checks on a range of mobile brands.

Security check bypasses implemented by the malware

Recording Audio & Phone/VoIP Calls

The Daam malware has the ability to record all ongoing calls(phone and VoIP) on a victim's device and subsequently transmit them to the C2 server.

Code snippet responsible for recording calls on the affected device

The malware also searches for certain package IDs of applications that provide VoIP services, such as WhatsApp, Hike, etc., in order to record VoIP calls.

Code snippet depicting the package IDs searched by the malware for recording VoIP calls

File Exfiltration

The malware can traverse through all the readable local directories and is capable of exfiltrating all the files from the victim’s device.

Code snippet responsible for file exfiltration

Stealing Contacts

In addition to stealing contacts from a victim's device, the Daam malware is also capable of pilfering newly added contacts.

Code snippet responsible for stealing newly created contacts from the victim’s device

File Encryption

The malware has been skillfully crafted to utilize the AES encryption algorithm to encrypt all files on the device without the owner's consent. Following the encryption, all encrypted files are deleted from local storage, leaving only the encrypted files with a .enc extension.

Code snippet responsible for the encryption of files on the victim’s device


  • The exposed PII could enable other threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.  
  • If the encrypted system contains critical data which is not backed up, the victim will be left with no option but to pay the ransom.
  • Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to the users’ other accounts.
  • The malware also can change the device passwords locking out the users from accessing, along with encryption capabilities.


  • Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers. This includes: noisy calls, heating up or slowing down of devices, battery issues, apps operating abnormally, unusual notifications, etc.
  • Install a strong antivirus in the system to detect malicious signatures.
  • Enable all the Google Privacy Protection policies that forbid and warn users while downloading malicious applications.
  • Lookout for applications asking for unnecessary permissions to operate.
  • Never download applications from unknown sources and repositories, there is a high chance of malicious obfuscations.*

*While statistics indicate that third-party websites may host a higher percentage of malicious or infected files, it's important to exercise caution and do your research before downloading any application from an unfamiliar source.

Indicators of Compromise (IOCs)

















File names




Command and Control





Websites distributing unofficial versions of affected applications that can likely be malicious

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations