Malware Analysis Report

2025-01-23 12:45

Sample ID 230605-13g4psba44
Target oSiNT_1.3 original signed.apk
SHA256 c692b61b38772ebfe82f3f79f12c3eac8ab4c1d002c8a0335335b94a6e7500ec
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c692b61b38772ebfe82f3f79f12c3eac8ab4c1d002c8a0335335b94a6e7500ec

Threat Level: Known bad

The file oSiNT_1.3 original signed.apk was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-05 22:10

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:12

Platform

android-x64-arm64-20220823-en

Max time kernel

2375943s

Max time network

74s

Command Line

com.oSiNT.Dev

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.oSiNT.Dev

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.226:443 tcp
NL 142.250.179.138:80 play.googleapis.com tcp
NL 142.250.179.170:80 play.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 soon-lp.at.ply.gg udp
US 1.1.1.1:53 soon-lp.at.ply.gg udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp

Files

/data/user/0/com.oSiNT.Dev/shared_prefs/com.oSiNT.Dev.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/data/user/0/com.oSiNT.Dev/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.oSiNT.Dev/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.oSiNT.Dev/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.oSiNT.Dev/app_webview/webview_data.lock

MD5 bd48832f200a056950807b7f21feef24
SHA1 0ce775f802305e4e610930147d0179c554ecfe80
SHA256 0333c8a2754e2ea15139c5531efffb2ddd382270dc1bd2c8b92d5d6350f0687d
SHA512 e505265e21b65a268b5067016931f3eac876164b530d3ccfe624677165d2dae9b7c6e9f52244a07c26aebe74b96175c2af1277c34ec8610a6ae21ce266868e66

/data/user/0/com.oSiNT.Dev/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.oSiNT.Dev/app_webview/Default/Web Data-journal

MD5 a83594b0f343374a15f40ea434bcf40b
SHA1 f5e0f89fc14ea5a0189774c85833b807291a170d
SHA256 5fe97729d7983702a1f4f443adb86c8de701b93aba66e99c81a51c3609630d85
SHA512 434d3d4bb0e65263a622ecc5693ea7a007b62043a6f4f2982cf94df3858c663c1f9f8470b72389a21d4340b73feed3acc55a59742336fdbe7ecd7ce059f97cb4

/data/user/0/com.oSiNT.Dev/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.oSiNT.Dev/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.oSiNT.Dev/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.oSiNT.Dev/app_webview/Default/GPUCache/index-dir/temp-index

MD5 a520b3709b32fd71ed58abe4ffbadfc3
SHA1 50565fc78b3aa0854772a0d9884d77e425a97634
SHA256 922d2358be21b5740697443e72df380c748adc6d7aa88fee5b718ebb4ad235df
SHA512 f610e1d03f3a16b993e284537562433db6cb748b534db9fc4d8c7261db8363f296495b1ca1fdbb7276af940f94e0667beb762459269b864a6793bf47e2d21c95

/data/user/0/com.oSiNT.Dev/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 bbfa787700a9ea67618f7c7b386db97f
SHA1 77858b076b841132a0830e5b77f3e598f36e58ef
SHA256 a24ed8434d8844d4dfb8013e95bd5279a778c3a1f74ca44b62ee7a7ae658d926
SHA512 d6ca6156e5f1e23ae9c2ed42315ca33ab312022004d4bedb2487951b0e2a11fb3eda94c20abdef5f14761ea3013d263fa76b9b4abf857184e4afbf2eea1915a8

/data/user/0/com.oSiNT.Dev/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 579b3c9b94d4b3d00c6d47a8fc870e65
SHA1 3b37de2c14276d55509c2694cbeff387429674c2
SHA256 c1afa528a9268b710dae90dfca6ec4d65806a196ea43fa7e942e7b4e1dfdce66
SHA512 109b7f3389bc3602a00af8b737bac0512db9a0a05653b8218aab2781da7e3460cc86a1c5fcea92a9938648f4982eb80ba30b074ee54b329c95278b3edf254083

/data/user/0/com.oSiNT.Dev/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.oSiNT.Dev/cache/WebView/Crashpad/settings.dat

MD5 3f29b8d8b6fc6c03b6774ba49038047e
SHA1 1ddf3b5e673d1d2c62fd9dfe3dfb92c665e2b220
SHA256 01daadd8135c9f952dde89bb01f8c1a1e253c060d0e4208514def7b239988907
SHA512 73922550475b18303c852ef674e7d30b9a0ca4bbef71858c3a71b350fab2bfc2ec95d0b690746d161691c665763895089818a97cba2eb75701e6f04020c7aaba

/storage/emulated/0/Config/sys/apps/log/log-2023-06-05.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.oSiNT.Dev/app_webview/.com.google.Chrome.tTsEJb

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

13s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.170:80 play.googleapis.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.10:443 tcp
DE 142.250.186.174:443 tcp
DE 142.250.186.174:443 tcp
DE 142.250.186.174:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.170:80 play.googleapis.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.10:443 tcp
DE 142.250.186.174:443 tcp
DE 142.250.186.174:443 tcp
DE 142.250.186.174:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

13s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 216.58.208.110:443 tcp
GB 216.58.208.110:443 tcp
GB 216.58.208.110:443 tcp
GB 216.58.208.110:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
GB 216.58.208.110:443 android.apis.google.com tcp
GB 216.58.208.110:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
NL 142.251.39.106:443 growth-pa.googleapis.com tcp
GB 216.58.208.106:443 growth-pa.googleapis.com tcp
NL 142.251.36.10:443 growth-pa.googleapis.com tcp
DE 172.217.23.202:443 growth-pa.googleapis.com tcp
NL 172.217.168.234:443 growth-pa.googleapis.com tcp
NL 142.250.179.202:443 growth-pa.googleapis.com tcp
NL 142.250.179.138:443 growth-pa.googleapis.com tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 216.58.208.110:443 tcp
GB 216.58.208.110:443 tcp
GB 216.58.208.110:443 tcp
NL 142.251.39.106:443 udp
NL 142.251.39.106:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
GB 216.58.208.110:443 android.apis.google.com tcp
GB 216.58.208.110:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 growth-pa.googleapis.com udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

11s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.39.106:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
NL 142.250.179.130:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-06-05 22:10

Reported

2023-06-05 22:11

Platform

android-x64-arm64-20220823-en

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.39.106:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp

Files

N/A