Malware Analysis Report

2025-01-23 12:43

Sample ID 230512-gehksaec31
Target 2nr premium signed.apk
SHA256 4b218d945ca4da4a2501a5eb99ab925f668df060cdcd45a9fbe419c799a5d789
Tags
spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b218d945ca4da4a2501a5eb99ab925f668df060cdcd45a9fbe419c799a5d789

Threat Level: Known bad

The file 2nr premium signed.apk was found to be: Known bad.

Malicious Activity Summary

spynote

Spynote family

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-12 05:43

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-12 05:42

Reported

2023-05-12 05:43

Platform

android-x64-arm64-20220823-en

Max time kernel

243032s

Max time network

19s

Command Line

pl.rs.sip.softphone.newapp

Signatures

N/A

Processes

pl.rs.sip.softphone.newapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/user/0/pl.rs.sip.softphone.newapp/databases/com.google.android.datatransport.events

MD5 5382bdf6748af0d14697c252bc87234f
SHA1 82371a4f47830c03387c2e52ed744d92b7c957e6
SHA256 fdfbf95021fc955bc14c092c9061ea3af8863f93aa2102bae7e0b0f11d8e27c3
SHA512 7b22feb2141ac61260899f6951a4c30358a8d546a20641456c3d26c85551ceecf07184c36f0cfab1cf79fdf2a20728bfa92dee0def469559d2f31c877aeb7b9e

/data/user/0/pl.rs.sip.softphone.newapp/no_backup/com.google.android.gms.appid-no-backup

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/files/generatefid.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/databases/com.google.android.datatransport.events-journal

MD5 b633999e79e00e15c83799bdd1d24aef
SHA1 691648759a649df73174c3a86ef70191f8260994
SHA256 81036b4e3045aeb23d441ef281b53b59ace53ecc7ff9d771a7e53a80ac4f9536
SHA512 1efeaae22e81c95b2ea77257d81f83d256726855ee2c7aa5f70033b44b9d1301a8170486668b603374c3d886c73e351a0f5b70075e7d692dad8cc828a72ebba5

/data/user/0/pl.rs.sip.softphone.newapp/files/PersistedInstallation1570695925334085076tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.firebase.messaging.xml

MD5 d6b32b6f7842c43a69d96e6bbc0f951e
SHA1 f09a77cc001d93e3386c5cd436a79ee29a46da6f
SHA256 5d262a249d4523aa6285643f3e7d110697e3aa653bf68909d3a56f4fad151a75
SHA512 e15f4e2d36a163ee62904a7d8e07ff792adde9992607f82b663df8047483283334eb2d7d6643aaca4395e11e9c1ffc51f8b3cad45b19922f31bdccdcd898ee56

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToxMDY2ODY4MzI1OTk4OmFuZHJvaWQ6MzVmZDdiYTFhMmExNDIyN2IzMzA3Zg.xml

MD5 2c3a868870a628f9b37671d02352d3e6
SHA1 18a734b96a57ee851c64ab0515e1ffb26069a2e0
SHA256 313ca2a551844388fe50d580f9e460d14f9af44d5a1b0ed143480fabeddcb617
SHA512 a532cc392eec6490bccbc485f01ef323c17eb59a5e08297981d8a9a4e5a590876f9cb52bacfe086f7e275d3f423db56ca7a9fa8e8eed9e7ca7449ef4cb68a72d

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.firebase.crashlytics.xml

MD5 af4763304a986d82c8145a9b6adc69bd
SHA1 0faa8a240a06c7afc6516e14a2ae4175908a9d46
SHA256 d5fc40884478dd8150a9fcb0b65b9cb722d9f637e8070a15642bdbd34ab22d6c
SHA512 3d0886fc3d69463561d1e3bd1d7f2b275de9d08ef7de52bcf9aecce10ecb110aef81b8cc3a78d1f97616c8077bcd7aa8900d13872465af476233994a5b185660

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/open-sessions/645DD1FE03D1000111BD7F716C04DFFC/report

MD5 8ac4d89d5b6fcfe2fd24addc9b87b4f2
SHA1 a56967e2b2160e1fb32e50d9123ef732776c76d8
SHA256 0b6712b1f00e97456a4b173abf5cb29261770fa91cda4b3adf436930c5f0209c
SHA512 5c332ea42fee3b192bdfc2998d7bd8452825f57025659f6395a9a06caeb273dc59fc927137ae6f111cda774296ae124dfd61ad58415f9cc745878e9be3b4705e

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToxMDY2ODY4MzI1OTk4OmFuZHJvaWQ6MzVmZDdiYTFhMmExNDIyN2IzMzA3Zg.xml

MD5 e6937e7ddf22c62ddba71ed4a6b21833
SHA1 f14513f8ee9cae21dea877ab7345017c72a071c3
SHA256 77b74cf9ddcf9f2d1420e904db86b94af4012d62e24a97d71cdfdfa49af45d75
SHA512 9f78eebe08eb059fec6f3b4a392d554b7380eb835d665d1a4bd4475370ccd0a258e41ccb5729420b89b84a5739d9e97331f304883ae34803e7aed9d081cb4710

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/open-sessions/645DD1FE03D1000111BD7F716C04DFFC/start-time

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.android.gms.measurement.prefs.xml

MD5 250b4caeba60ddf53228405750ba66ca
SHA1 422ab714feb34e9f3b4f1cbe669887bcd581ddb1
SHA256 2478c97a377db9ce6a44977b4864a40af8b4f5e5c8f81892c424a608ddec911e
SHA512 373750c29942fef90281109b6025c398d0f4ac62b58a984a3651d09f8c016440bc40f6bd84fb6d40acf8e48a553d4c1d22e01a95c40a41567c079ba9a338afdb

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.facebook.sdk.appEventPreferences.xml

MD5 f19ad893e7ec55173f560c44cb561974
SHA1 5071c59224c36a48e3272bcb8a467f77f43f0c52
SHA256 f76b8e79f1e8952445e59392645646ab3b2b855a982c6fe264ac9115263b9e89
SHA512 19beb9c89dc9eb0c1ca5b1db754ed547031233e6952988fac4b8050a17511d6b218d5177a5eb3aba6dc0da64e2cb522ab3c151b8fe11d9c35f96918a486447ba

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.facebook.sdk.USER_SETTINGS.xml

MD5 34d145a1f9d7290f517f621b0e5635bd
SHA1 89108d6cae8d351c53efb5b70991fea2deaa8e64
SHA256 777b4dbcab9944d8855218bf93d3dad6bdb25c3666702a3f5ba8953f7752504e
SHA512 ac5ed49d296110fac3ab4ff1fe5ec3c2ed13fd15452a86ea95a3132e7625c63342703dcc29b9a84fe4c49617cd647b48efa51f0a43267eebf1f996da88ebbfcb

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.facebook.sdk.appEventPreferences.xml

MD5 1f85d23b62aa013a21c5acfc2f90e993
SHA1 845e48f52a6aabf7cc1f32315908397ec5e68817
SHA256 f49a2b0bc313ac3c9068f6475e5228b499266dbdb9dc74ba08ed97f0ca78aa1a
SHA512 c2786670182ca003316630ffedd9859c3845a49076d05992e0e1ca443287d3f596aa62c1e6a918623b9084a41a443df8e7cf561e6ed5ea307018848ab4a874a7

/data/user/0/pl.rs.sip.softphone.newapp/files/PersistedInstallation3956077538807441250tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.android.gms.measurement.prefs.xml

MD5 1defbf724a2c7742b5cd7f6f65686a8a
SHA1 356c341ebab7af2e6ab3d7bfdfd354d59f922d88
SHA256 bdfd6f95033c556ab576b44af427c2da2a225ba59b5267e525a7940fe01fd844
SHA512 1c1af40ad2b04f3abd6573ad61699376bd0ecaf9b1f1b4835d1ebfefad93091b8167d6e80b3ba04442036dbcf35d721908e3d71c2288e91eb464ceeaf1de4a83

/data/user/0/pl.rs.sip.softphone.newapp/databases/google_app_measurement_local.db

MD5 8dfcfdcef5a9793fb83bda404ec3f42b
SHA1 dd02caf5757e9fdaf184ab299c45e4c92ab3ae4b
SHA256 a59674cc863d7e977b030c7047072dc4c6d5ada1257917574fe184d886042cd2
SHA512 e04d1892c052fc3766881d3f21e26961714e575766cb316bcada34cce49cf6e17eb26c3fbdee0038ed2c75da0a9cab99e0e3e78374be20ce2790cc0d0d9cd807

/data/user/0/pl.rs.sip.softphone.newapp/databases/google_app_measurement_local.db-journal

MD5 4ae8e56f8d55dbe1c6c90d94b2b3efc0
SHA1 7f66976868b808de9b08b31b3dc3bff2f52c76da
SHA256 83ff74393cd177e7e80a48a3f50352075782fbdfa382a8201de9a236ee8bff54
SHA512 54edc96a315378178b25efa6518906f032bcf55fe9fa07bcdd601e254841c0b4ef38bfc8a83c1d2f6cba23cb484efd4a7b70ae9071d39e241244b8137004d7c4

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.android.gms.measurement.prefs.xml

MD5 55bd4a23976a5e0362cdfb77f4abb9c5
SHA1 410d04bbbf615139eae2f32c4e52927d84635d07
SHA256 fb950c3739ac8cc2e34bf563a44024823d3d0cc5b308ca60521d967695d28d22
SHA512 37646e2cb708474c825b612e6f19f61bfaea11bb4880e47186201914818265e0c0b9a0dd3a02edda11a7c882bfb49ebc4964b54bd41dd7fb8dc633ea2933331f

/data/user/0/pl.rs.sip.softphone.newapp/shared_prefs/com.google.android.gms.measurement.prefs.xml

MD5 151ec2b548d8c7c5a670877442e5dfe2
SHA1 ec6aa9a16ed6e0bd6282ff208439819ef759b445
SHA256 5ef7db7ab2d24144ad0e993025f0ed31c47a5f8e0cf53519c3921dccce899f87
SHA512 39801029e53eb17cf14e068f8dad3a96de71e64922c56efbcca54cd2d9644f8deccf18f2d73c558a16e3538d881f2c84687ac9cacfe41271add5e455c96355f0

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/crash_marker

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/open-sessions/645DD1FE03D1000111BD7F716C04DFFC/event0000000000_

MD5 32312f44c4c1eddfc94c9c69279ee043
SHA1 eb65ce42f62c18cd7dbaaafb5e0071c5704c7095
SHA256 e7a4bb01ec3bcbb33f697b58c00a62a1d8f5e03565f33750c288193191005fcc
SHA512 d48690605a45dfc9ea501c4c6cd436295dd5cc794aee6c5dc3b7922df11b97ef40c4a5ea6d34bdd5b9091e702c0d527286746354300fcdadafb90e4da252d0c8

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/.ae1683870208899

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/priority-reports/645DD1FE03D1000111BD7F716C04DFFC

MD5 da941d41e5278af3196fe33bc5da75c9
SHA1 912a1c1ba5e9aec91c3c2bbe7d0250f2b952505d
SHA256 449f40c70a67ce56722d046fa59d3c6e8cb48672a745ebfc593f03d50be0e099
SHA512 d89b9b462f65e576f4273212a39550f2dcd3b0d59ee404a6e4d2983d9cbcd0a1a4b7f4fc453a8c74c61196fc85dc571735e60b8c87d11ad35a200e3a8f2ad744

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/open-sessions/645DD2010068000211BD7F716C04DFFC/report

MD5 6f92fc307d447ab43f216cfc93ac14ef
SHA1 e41b6502b9e138dfadd677bb4946e7ab09790e3b
SHA256 5107ff2037348bf5d75d00b811507a9fc47dd9d3143ca510db45f36f737d792f
SHA512 2a9759667cbc0fe3650c904306bf55f6141f7516f52eeb320b55e7448285065cc6093808ddd54a9273e0708672731c4e8dc44bd0d5a8dadd8a81fbe58af56d54

/data/user/0/pl.rs.sip.softphone.newapp/files/.com.google.firebase.crashlytics.files.v2:pl.rs.sip.softphone.newapp/open-sessions/645DD2010068000211BD7F716C04DFFC/start-time

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e