Malware Analysis Report

2024-10-16 05:21

Sample ID 240311-xf9nnaba9t
Target xxx.apk
SHA256 abd521ec0f2bd43ffc644d260d8c8ff57d9335adf9a667b4ebc00a597402fe35
Tags
collection evasion spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abd521ec0f2bd43ffc644d260d8c8ff57d9335adf9a667b4ebc00a597402fe35

Threat Level: Known bad

The file xxx.apk was found to be: Known bad.

Malicious Activity Summary

collection evasion spynote

Spynote family

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 18:48

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 18:48

Reported

2024-03-11 18:54

Platform

android-x64-20240221-en

Max time kernel

308s

Max time network

311s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jijofi4973-34815.portmap.host udp
DE 193.161.193.99:34815 jijofi4973-34815.portmap.host tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 172.217.169.66:443 tcp
GB 172.217.169.14:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 1c26ecab0d94f2a4b2dfc7bfda43eff0
SHA1 3c89a227f7d5f3b3db5824c4a707f4438bd74cea
SHA256 4b4e3e72c544d8cf6533031bef655dc6f71834c4ec473fa218144a4c0c6014fa
SHA512 513cf924f101091eeff27a8950a6913d557ff4d72696e89df869accc3dd1b5f64c9b519782222e412d04ed50388ee3bc4016cb92ce0809bee56234a3acb5a5d5

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 7962924b10f8c7f077283d86c26a1b33
SHA1 8cfe59e55017cb51c01535eed265e251c611ac60
SHA256 b271c7118a78e7db19914c0c26d172776015a6e72ce9fa908da39948459ad2ea
SHA512 bc56fc78ce05c332affdbe75d514acaf34bf1f384ff9e7d0889b0de82feed05e74cc55224ddf0a97847b56179a561a4dc8caaea7e6952282f0724b3371e64aca

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 18:48

Reported

2024-03-11 18:54

Platform

android-x64-arm64-20240221-en

Max time kernel

301s

Max time network

311s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 jijofi4973-34815.portmap.host udp
DE 193.161.193.99:34815 jijofi4973-34815.portmap.host tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 216.58.204.67:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 1c26ecab0d94f2a4b2dfc7bfda43eff0
SHA1 3c89a227f7d5f3b3db5824c4a707f4438bd74cea
SHA256 4b4e3e72c544d8cf6533031bef655dc6f71834c4ec473fa218144a4c0c6014fa
SHA512 513cf924f101091eeff27a8950a6913d557ff4d72696e89df869accc3dd1b5f64c9b519782222e412d04ed50388ee3bc4016cb92ce0809bee56234a3acb5a5d5

/storage/emulated/0/Config/sys/apps/log/log-2024-03-11.txt

MD5 cc174b383802cd2ef348facbe7ff6cfe
SHA1 1ec43151d80eec7706e49c525d7f5acbba5a3931
SHA256 b62bbe71f455993330bf93bd0a20ade083c5f96bf3a932a145665f4fdf115c3f
SHA512 24e7b563646ad5d9c4f1f1f4cedf290486a2c5fd00b5df2065df3b8f18cefee84c7fba43499e59bb46c8e448ad53d47598fb12217af5b27886582a4152c473dc