Malware Analysis Report

2025-01-23 12:38

Sample ID 230427-rp1t8aaa6v
Target ready.apk
SHA256 df1985308e4cba63ad8b42f746443ab0df1ad240b7edb628e6d44cfa64799a2a
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df1985308e4cba63ad8b42f746443ab0df1ad240b7edb628e6d44cfa64799a2a

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-27 14:22

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-27 14:22

Reported

2023-04-27 14:24

Platform

android-x64-arm64-20220823-en

Max time kernel

3273240s

Max time network

74s

Command Line

edges.diagnostic.official

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

edges.diagnostic.official

edges.diagnostic.official:remote

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.226:443 tcp
NL 142.250.179.202:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:80 play.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 men-cholesterol.at.ply.gg udp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.234:443 infinitedata-pa.googleapis.com tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 1.1.1.1:53 android.apis.google.com udp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp
US 209.25.141.229:22770 men-cholesterol.at.ply.gg tcp

Files

/data/user/0/edges.diagnostic.official/shared_prefs/edges.diagnostic.official.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-04-27.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/edges.diagnostic.official/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/edges.diagnostic.official/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/edges.diagnostic.official/app_webview/webview_data.lock

MD5 4d757d670203ea47db14065836f6e527
SHA1 a648a4b0c2863780a55577ddd039ad5186d80e13
SHA256 3989440943be874a55d72b2e3223fdb117c159c15f4956c7df4df745fdd3b444
SHA512 292df34d7d327861734e55b3a103d291cdb0d5dba3dcabb2809f50cc3574101597750ae59c2bbb93262013e399c7d386a05c3da6f0213377cd0451bc6fa5914d

/data/user/0/edges.diagnostic.official/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/edges.diagnostic.official/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/edges.diagnostic.official/app_webview/Default/Web Data-journal

MD5 fc49d0823aa46d49c51fc24054619d2a
SHA1 7a2f689b746e6a014f6eb77b3ff3e181dfa1ac7f
SHA256 94532114c507077798207128257ea5b15efcf17196f6e4b4cfbfded125e3589c
SHA512 28755bfe206c7668d683ecf07c6e6ab72ce8902fbfefc08cda01feec1c01318b45ce3ddcc85a166762ba349451adc039b0cb15ca811a785dc2f6703c616d7e0d

/data/user/0/edges.diagnostic.official/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/edges.diagnostic.official/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/edges.diagnostic.official/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 14b3ea97c3538ecfd6c849b1e8ac0601
SHA1 fc622e38ba1454eb28dc51b201c575e39a605a7b
SHA256 4054e020506b6a8447f5c7cda2d7bb34e040f050e443b2a8ab2554c1419c3d5f
SHA512 97385ee0fa09512218e458a6dbbb537423dfdff0d85637cfd49659ae4a4dbd53b80af2d1630c07aa2bd503c423d3dbffd7c92c9303dab0c5840bfefc28ee2832

/data/user/0/edges.diagnostic.official/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 cdab36e1c0e0648f78ab6f3f1360b116
SHA1 f003f537435259117c4314e2f36d64fd163ef412
SHA256 defda8183025ce6bf3c8c7f99cd185babf3af8aba798178f311e685a56e41b93
SHA512 a5612dad49eccb947927b05297001e536855c61e308e6a15852fc579906d68b21039e5f516c56efda94d9705becc86703d3398afe9525afb857a63f32e938cc3

/data/user/0/edges.diagnostic.official/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/edges.diagnostic.official/cache/WebView/Crashpad/settings.dat

MD5 d8daeffa3fb79a2327b9722cde17b23c
SHA1 9dfd5e4667e79c9b15c5f50d833c471aecb63f61
SHA256 73ec10d7e27565eea1fce9285627bdad6bc31f523ac57cc3eab6ddc337d682e4
SHA512 c9279a401e56242c86fc8c9d2ba32cdca1d3bd16f5e398e566157b63a4d5da097ca43721f9c2c8290c774f819e8c1cda8cf2800aa5b6a8b6ceaa33539abdbdd4

/data/user/0/edges.diagnostic.official/app_webview/.com.google.Chrome.jx6Wo3

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e