Malware Analysis Report

2024-10-16 05:20

Sample ID 240328-cpvkwada4t
Target Whatsapp.apk
SHA256 48568a0d1fc29a2132d9e7bcb13012f24818c0d3b20de3306f24b39d90984128
Tags
collection evasion persistence spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48568a0d1fc29a2132d9e7bcb13012f24818c0d3b20de3306f24b39d90984128

Threat Level: Known bad

The file Whatsapp.apk was found to be: Known bad.

Malicious Activity Summary

collection evasion persistence spynote

Spynote family

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 02:15

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 02:15

Reported

2024-03-28 02:16

Platform

android-x86-arm-20240221-en

Max time kernel

50s

Max time network

38s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 5b48a95a458fe65140d9b812c65f7dbf
SHA1 643ba3fbf0df287f59f45dccaf99b1e159f9f1bf
SHA256 1abbb111df5c075f09e1f6edf406a120f6307ac1dbd9a1db12010da9dff78d02
SHA512 7fba5252e5227d08b835904173441a9ee0950e1c78b86cc18f7955136a01a9d7e089f4cffdf2d8a5225c20b37fd7c6679bd35b33b1d419bc8ee5465252a00be2

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 c09c8e72cbbdf6f89d712f8b19cbc4ab
SHA1 d4c585c1006c958cc70b8c530631689d28f5b868
SHA256 a3bbe9a602b7c9cf56a93b0d2d66b790941edd8b6a84fda5a815e0a11ca802aa
SHA512 a56cf1787a068f5eb63efc336c0e08c0d691faabc189fc6cf4c6427ae18ffa8318ad4faeca3fafbf40003370e0bd1216058727df8bb5ed81d735635dbb9b1b27

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 02:15

Reported

2024-03-28 02:18

Platform

android-x64-20240221-en

Max time kernel

155s

Max time network

154s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 5b48a95a458fe65140d9b812c65f7dbf
SHA1 643ba3fbf0df287f59f45dccaf99b1e159f9f1bf
SHA256 1abbb111df5c075f09e1f6edf406a120f6307ac1dbd9a1db12010da9dff78d02
SHA512 7fba5252e5227d08b835904173441a9ee0950e1c78b86cc18f7955136a01a9d7e089f4cffdf2d8a5225c20b37fd7c6679bd35b33b1d419bc8ee5465252a00be2

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 caa0a764b1bb705c008c9f4b6fd6162d
SHA1 e1df56af8d6f9a6f0f69900bed185e9f32e8d5ee
SHA256 c1861745bc5a600e9f4b74c9edc3e02ddcea76e3d042dca29ac08d6117036e7f
SHA512 1680feb6a6a26bbc99c36a9b01c8fc1d90da7729baa5db9e504279d4d41a7ebca035d10b04d9e9a6b15d0e65404e2e03d02c806f65ff3aa9df89d764572bc779

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-28 02:15

Reported

2024-03-28 02:18

Platform

android-x64-arm64-20240221-en

Max time kernel

151s

Max time network

134s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 5a6faa62256a6b5ddb5cfbe06a2051bc
SHA1 ee3977a19155ca7b9046e1d33de8f7b4e81292c7
SHA256 3d0cc3726d24b36baae4787d7bbcac8b7ac62d27dc38b279cfe2e07b69074431
SHA512 88d251ffdad148c393a5a3b0581333a4c193f9ee770af1fea69127b30626caf46162635a3af139960d4748673c7cdc892b3ee3d18793cbbc2a182e33e48dc803

/storage/emulated/0/Config/sys/apps/log/log-2024-03-28.txt

MD5 5b48a95a458fe65140d9b812c65f7dbf
SHA1 643ba3fbf0df287f59f45dccaf99b1e159f9f1bf
SHA256 1abbb111df5c075f09e1f6edf406a120f6307ac1dbd9a1db12010da9dff78d02
SHA512 7fba5252e5227d08b835904173441a9ee0950e1c78b86cc18f7955136a01a9d7e089f4cffdf2d8a5225c20b37fd7c6679bd35b33b1d419bc8ee5465252a00be2