Malware Analysis Report

2024-10-24 21:00

Sample ID 240212-je7wsafg7z
Target 34f11498a63702624b00f2ebb539bffe.apk
SHA256 26deae5dbb13c1a2476fbef7c93e454338c6c39fe922a5911e30650242054e0c
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26deae5dbb13c1a2476fbef7c93e454338c6c39fe922a5911e30650242054e0c

Threat Level: Known bad

The file 34f11498a63702624b00f2ebb539bffe.apk was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-12 07:36

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 07:36

Reported

2024-02-12 07:38

Platform

android-x86-arm-20231215-en

Max time kernel

150s

Max time network

131s

Command Line

increased.lithuania.carrier

Signatures

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

increased.lithuania.carrier

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 e964096015fa28d99c39a83f0f54a8b0
SHA1 d2c3b35692b2bbd21f2ef12c94128dbb4527516b
SHA256 d04d5384027b720fccf556138a57dcdbb610f5e67498ac96d54b85c9e07ab247
SHA512 8cf2fde266cc5846048b33e5452e35cac778664e6a5bd2c6ef0d03a45b74857a537cc713ba5eeaed4bb580d1a981e35e7bec2f3cc73c83ccda163e7246c1cacb

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 07:36

Reported

2024-02-12 07:38

Platform

android-x64-20231215-en

Max time kernel

153s

Max time network

147s

Command Line

increased.lithuania.carrier

Signatures

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

increased.lithuania.carrier

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 b3d53d1e5444e325503c3ca9e20fa98b
SHA1 5b1af3d7bc5ed2624b929320be73a1b82f212d57
SHA256 4dff6f6a48d8814fdc703b7356356c15334184401b31e7c4578da85bd481077e
SHA512 a890904d4d3f889a1b7e7a56b4d3d5c1deb4b6e9a0f25d1bce9227c0a9cf2bc3ccb9bfc3ddba7b8151d0b823835340ef0c719120c7d6e883bf7ccc2466835864

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 7561846ed6ea4340898957991dc6e02a
SHA1 9d64906cdb61381761647eb307e6e2ac038af5f0
SHA256 e9e3313e97b0422a7714048373b50291394b60a4e1d1921d3d78ef16da4a5d5b
SHA512 dd7ecf7463a6d7f54868d290b5fa2e97afc4c20d9c94b3e08b03307dd6af4e39ed61e6d07299e636238f186b2f32e568220442d3a899c6aa1a54d237059f6f59

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 e964096015fa28d99c39a83f0f54a8b0
SHA1 d2c3b35692b2bbd21f2ef12c94128dbb4527516b
SHA256 d04d5384027b720fccf556138a57dcdbb610f5e67498ac96d54b85c9e07ab247
SHA512 8cf2fde266cc5846048b33e5452e35cac778664e6a5bd2c6ef0d03a45b74857a537cc713ba5eeaed4bb580d1a981e35e7bec2f3cc73c83ccda163e7246c1cacb

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-12 07:36

Reported

2024-02-12 07:38

Platform

android-x64-arm64-20231215-en

Max time kernel

152s

Max time network

162s

Command Line

increased.lithuania.carrier

Signatures

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

increased.lithuania.carrier

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.2:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 e964096015fa28d99c39a83f0f54a8b0
SHA1 d2c3b35692b2bbd21f2ef12c94128dbb4527516b
SHA256 d04d5384027b720fccf556138a57dcdbb610f5e67498ac96d54b85c9e07ab247
SHA512 8cf2fde266cc5846048b33e5452e35cac778664e6a5bd2c6ef0d03a45b74857a537cc713ba5eeaed4bb580d1a981e35e7bec2f3cc73c83ccda163e7246c1cacb

/storage/emulated/0/Config/sys/apps/log/log-2024-02-12.txt

MD5 7561846ed6ea4340898957991dc6e02a
SHA1 9d64906cdb61381761647eb307e6e2ac038af5f0
SHA256 e9e3313e97b0422a7714048373b50291394b60a4e1d1921d3d78ef16da4a5d5b
SHA512 dd7ecf7463a6d7f54868d290b5fa2e97afc4c20d9c94b3e08b03307dd6af4e39ed61e6d07299e636238f186b2f32e568220442d3a899c6aa1a54d237059f6f59