Malware Analysis Report

2025-01-23 12:45

Sample ID 230521-e6vnbaag8y
Target 16212f3930f3c8327ba9872acf626c3b
SHA256 967557d5d230867011eeb79101830a722836ea1779f4755e3692e130420ff17c
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

967557d5d230867011eeb79101830a722836ea1779f4755e3692e130420ff17c

Threat Level: Known bad

The file 16212f3930f3c8327ba9872acf626c3b was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-21 04:33

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-21 04:33

Reported

2023-05-21 04:36

Platform

android-x86-arm-20220823-en

Max time kernel

1016585s

Max time network

156s

Command Line

adds.clubs.controlling

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

adds.clubs.controlling

adds.clubs.controlling:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:853 tcp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:853 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:853 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp

Files

/data/user/0/adds.clubs.controlling/shared_prefs/adds.clubs.controlling.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-05-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/adds.clubs.controlling/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-21 04:33

Reported

2023-05-21 04:36

Platform

android-x64-20220823-en

Max time kernel

1016583s

Max time network

157s

Command Line

adds.clubs.controlling

Signatures

N/A

Processes

adds.clubs.controlling

adds.clubs.controlling:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp

Files

/data/user/0/adds.clubs.controlling/shared_prefs/adds.clubs.controlling.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-05-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/adds.clubs.controlling/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-21 04:33

Reported

2023-05-21 04:36

Platform

android-x64-arm64-20220823-en

Max time kernel

1016601s

Max time network

168s

Command Line

adds.clubs.controlling

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

adds.clubs.controlling

adds.clubs.controlling:remote

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
NL 142.251.36.10:443 growth-pa.googleapis.com tcp
DE 172.217.23.202:443 growth-pa.googleapis.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.202:443 growth-pa.googleapis.com tcp
NL 142.251.39.106:443 growth-pa.googleapis.com tcp
NL 142.250.179.138:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.10:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.250.179.173:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.250.179.205:443 accounts.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.206:443 android.apis.google.com tcp
US 1.1.1.1:53 vzqppmowwjbiodo udp
US 1.1.1.1:53 mkghpggcwf udp
US 1.1.1.1:53 trbnysbkupzfwht udp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:53 trbnysbkupzfwht udp
US 1.1.1.1:53 vzqppmowwjbiodo udp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.250.179.195:443 update.googleapis.com tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp
HK 103.71.154.99:7771 tcp

Files

/data/user/0/adds.clubs.controlling/shared_prefs/adds.clubs.controlling.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-05-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/adds.clubs.controlling/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b