Malware Analysis Report

2025-01-23 12:33

Sample ID 230605-2b57wsbe8s
Target Osint signed.apk
SHA256 eb49fd6e474dfa79270d09ab2bb92cbeb29b0cad383087f982b56f62aa633e19
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb49fd6e474dfa79270d09ab2bb92cbeb29b0cad383087f982b56f62aa633e19

Threat Level: Known bad

The file Osint signed.apk was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Requests enabling of the accessibility settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-05 22:25

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-05 22:25

Reported

2023-06-05 22:28

Platform

android-x64-arm64-20220823-en

Max time kernel

2376924s

Max time network

165s

Command Line

com.my.newproject5

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.my.newproject5

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
N/A 224.0.0.251:5353 udp
DE 172.217.23.206:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 soon-lp.at.ply.gg udp
US 209.25.141.181:17209 soon-lp.at.ply.gg tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.39.109:443 accounts.google.com tcp
US 1.1.1.1:53 yijbcpymgcjlttz udp
US 1.1.1.1:53 cjsxvdz udp
US 1.1.1.1:53 jyywwznvzw udp
US 1.1.1.1:53 yijbcpymgcjlttz udp
US 1.1.1.1:53 cjsxvdz udp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.250.179.163:443 update.googleapis.com tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.238:443 android.apis.google.com tcp

Files

/data/user/0/com.my.newproject5/shared_prefs/com.my.newproject5.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/data/user/0/com.my.newproject5/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.my.newproject5/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.my.newproject5/app_webview/webview_data.lock

MD5 4b3e73b5c6d80d840c6573a2d5ec143f
SHA1 c9968f576ec3a241fc372355295f1ca1585514e3
SHA256 c9e5e6f6276f81927cc0c67673dd5a83707e57da4b6ac7f13f7cca173674183d
SHA512 1d5313f56f797c8c2defd19fa34c41ec30a47fdfe7c2ff44b25f250bad981e9bc05980e0b60caa5f804f584b17a0a9b8f36dab4a42f6d97d8171efb136d8ef8e

/data/user/0/com.my.newproject5/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.my.newproject5/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.my.newproject5/app_webview/Default/Web Data-journal

MD5 9e51d4fcc2ac7393dc2ca5a8d90a693b
SHA1 54300f7d8b06fae881629a066a79ad54d0d74e36
SHA256 8d9491309da849653076cd054d6f95f9f121e19897932eb9b44a87ac3e8e94b4
SHA512 d0abe2d9d3420e73094a5a5a5c40ff87d52c36638332faa2134c8da4d12c41ef710eac3eed6a78cc5d83bbc4007199d0cd8e5b300f24ca4cd3d4c8c5397891ca

/data/user/0/com.my.newproject5/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.my.newproject5/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.my.newproject5/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.my.newproject5/app_webview/Default/GPUCache/index-dir/temp-index

MD5 7780601bf661f2c2f43403c6ac9e26d9
SHA1 bfe50f7d9509841314d27aeaa8ca50eebf5e0928
SHA256 85a7df3d9873ed22e8c6a9facce2e197bfb2e1637c44ba1c1071c403e2ac4494
SHA512 13a82affdd99a5f0ce5854c0c7f541dc6632e2b0313a79a33f4f082a4090afabba9bdb82bc8c5de9731d8f1132c0d2be91e128efc841a9cbe3edd517ec383afb

/data/user/0/com.my.newproject5/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 141944aa8bb0739912f375e976d5fab3
SHA1 07ee6921a6ac9fbb06073b4fc4cb7a189a99337a
SHA256 dee5a7d1201e6a0e3f9b49ab5ee312521bb77bae88e06a78f02cc457a93686b4
SHA512 7282aeaeb87b0ba4b07484a5b3a3422aa5831f5375c2fb43338c0da79c8ff53cfc742032e149dca06ce61e9996f2110afb6079c0a337c1817a134af310e58802

/data/user/0/com.my.newproject5/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 c35e5035bc5ab2c1920c2c8170d1b88a
SHA1 2657f92e3b0755e1853825cbe5657bd8665d039f
SHA256 d12f1caf6afb5e8f5bbae98a08fa163f6811084faaa53e2de171e41dce9a2587
SHA512 95caa5d1fa2bc0b48b6e9f51d3f5c26cf8eac4bd63e7c25991df96393e06a53a5c6fb6432a877122fdb188b85ad82bde65c63a4bf35d828dea59a50ba08957a3

/data/user/0/com.my.newproject5/cache/WebView/Crashpad/settings.dat

MD5 bb40160bc58d627dac72f6fa3e676046
SHA1 47bfc4c04a2b5624697e6f0ac28a3b4542510d1d
SHA256 9c9c3037d0d3291b2a9653917b7d701bf79a45b11909a1519e72873da2cb9321
SHA512 1598ccef4f91cc068386d3c56708f1357dc491717f7ce2b170eb5bd2776932e84435252e0d1639144b6bcdd3a5fc29096e9df84bb132da1f1176d816b67fcb1f

/data/user/0/com.my.newproject5/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/storage/emulated/0/Config/sys/apps/log/log-2023-06-05.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.my.newproject5/app_webview/.com.google.Chrome.1CqLYB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.my.newproject5/app_webview/Default/Session Storage/LOG

MD5 4cb082a02983e9975ab223149a445d73
SHA1 9f80d75a0b01438f4708eefa980f54c471188dcc
SHA256 06da0b7832a8749d54dad7195703fa5f3ed34730e95f909bc2a02a449476f360
SHA512 f92bb89903731c5507bb8a7fe2366ea09aaae11977ce0fd54675f8a86acd7c638483c935af288ffbdcb1d13ed18f58a3da45634da977d63d0a5a4e7780d40c60

/data/user/0/com.my.newproject5/app_webview/Default/Session Storage/LOCK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.my.newproject5/app_webview/Default/Session Storage/MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

/data/user/0/com.my.newproject5/app_webview/Default/Session Storage/000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

/data/user/0/com.my.newproject5/app_webview/Default/Session Storage/000003.log

MD5 9f7eadc15e13d0608b4e4d590499ae2e
SHA1 afb27f5c20b117031328e12dd3111a7681ff8db5
SHA256 5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923
SHA512 88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f