Malware Analysis Report

2025-01-23 12:38

Sample ID 230424-t27jmseh4t
Target client.apk
SHA256 a5b616c93ea1a228a46c5c1a498731c47bd1b721c518ff933d86c5806884bfe8
Tags
spynote banker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5b616c93ea1a228a46c5c1a498731c47bd1b721c518ff933d86c5806884bfe8

Threat Level: Known bad

The file client.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker

Spynote family

Spynote payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Tries to add a device administrator.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-24 16:34

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write (but not read) the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-24 16:34

Reported

2023-04-24 16:37

Platform

android-x64-20220823-en

Max time kernel

3021871s

Max time network

163s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
DE 142.250.185.130:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
US 1.1.1.1:53 vaccnyjw udp
US 1.1.1.1:53 enbeqsxkuiklga udp
US 1.1.1.1:53 clfwlplcxz udp
US 1.1.1.1:53 vaccnyjw udp
US 1.1.1.1:53 vaccnyjw udp
US 1.1.1.1:53 vaccnyjw udp

Files

/storage/emulated/0/systeminformation.android.app/config24-04-2023.log

MD5 14929a4ea6a9c5d98994eb7e18badb2d
SHA1 7afc1498319b9a986d374f29c9a98755e4693922
SHA256 732e7de225b552f4fa3120f5e2cde9c0ab3b8da4f5273d3158b43326a3c90430
SHA512 0c52c19839a9da44dd3774f9dd329d48f5ccc9152e85597dddf65c6c0169d9bcc55505664198597f652b7136b86def9b1f83a68b1964a6c78e4585190b29cf97

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-24 16:34

Reported

2023-04-24 16:36

Platform

android-x64-arm64-20220823-en

Max time kernel

3021956s

Max time network

110s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.194:443 tcp
NL 142.251.36.46:443 tcp
NL 142.251.36.3:443 tcp
NL 142.250.179.131:443 tcp

Files

/storage/emulated/0/systeminformation.android.app/config24-04-2023.log

MD5 a7aa16fefeb63102f667d1fd4c608f3c
SHA1 ebcb630fb6d7ea5cf960c34e0d4b873cb3da9c16
SHA256 8f4b155660b3d1100e3dc1b48c0539bc3179dd433436e8474308e045bc5a3048
SHA512 c71ee18723bfacaf8d32c26ed4c3bc13b4b797f49b59d0dc31b9ee7205f0d2ade36f5274569fd852f23186384dc3f95b8472872202dc435324b58c357dea4944