Malware Analysis Report

2025-01-19 06:59

Sample ID 240523-clafjaaa2x
Target e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
SHA256 e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8

Threat Level: Shows suspicious behavior

The file e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Checks CPU information

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:09

Reported

2024-05-23 02:12

Platform

android-x86-arm-20240514-en

Max time kernel

18s

Max time network

131s

Command Line

pl.spyone.agent2

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.212.202:443 tcp

Files

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 5741ed1000c2bfe47e8e6b24ad76b0e9
SHA1 c6387d50cac7004e314c7bd9150f9a17b6cf39f9
SHA256 4b6c9cfc489aa5ce9cfb9363eb2f8192f8ea09babf35851de463c37003c95e03
SHA512 43b1fb082308e2857344f71b09c5615336e6388a5bbc979dffbaa06a2741e35fc198faa372540f7ebb64602d11552690b8bac704fd1f9e92793288ec1b0cbf8a

/data/data/pl.spyone.agent2/databases/database.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/pl.spyone.agent2/databases/database.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/pl.spyone.agent2/databases/database.db-wal

MD5 4e260a793a2605145f432b32707d66e0
SHA1 3333998e465934d39af3a91e0f6dce50c02f839a
SHA256 4e61507814e9edb134fa0a0052026e2aa925d1656012b006830c40a3ff73d410
SHA512 f4f10f4126aa70588333a4f95a676e0d1406afa23e0e9ea82ffe4d12cdd44788d0e01dd5eabece3b758798564d26e902201837a63d172d0f69388870d1a1a884

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:09

Reported

2024-05-23 02:12

Platform

android-x64-20240514-en

Max time kernel

49s

Max time network

137s

Command Line

pl.spyone.agent2

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 172.217.168.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 www.youtube.com udp
NL 142.250.179.174:443 www.youtube.com udp
NL 142.250.179.174:443 www.youtube.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp

Files

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 c6c3e8db82a35ec86021e71953bd875b
SHA1 e81d87b6c650c64212438e75ad33df52a6e0c964
SHA256 fd39e282a985afd66fe9b3c9639025425a765f24b13ed294c3754c4ad2364f93
SHA512 744abf766200132263283bf4d0c18350a3d08cc104c0e9a0fae34c798a4366123c0c0f7f5452e834bea9868f7853bfdf487ff805119e516332046ead26715280

/data/data/pl.spyone.agent2/databases/database.db

MD5 dd46d6cae176055d8617ceb3d40f1d96
SHA1 b7a971b5f755f7fd5f9041bb1a0ffb1a74d9dd57
SHA256 c4d2fc19a3c54c2d2cadde804546ce6f62f960865b829ea240026e1ea2706e96
SHA512 54d353f7e746aa3935848cc2f694cd6cfbd1c59b6f56e276b76fad0f0a4c8ea09cd4835be8a8ccd615a7714d3e212a091d93a2b3b835f4ea767c8ba5950a5516

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 d774750071ad5abba30bf0e297603f16
SHA1 935341e8ce38f8c050e5b5a26ad3a5aab2e157b4
SHA256 f40ecbcb8a460f244a6c9b88337b8d5a04349d2a1d1e87a58981b104ce1794e9
SHA512 f7962917d491256b962e53844dcca534775a89864385b732a7c40e4f5c6c3488939caf3de2ca1c6737af126c426da14f82e0797d787939fb258ccbab8bf1e0b1

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 82a8ea85d8b3fadfa10ed6883b6f16bf
SHA1 472690334a9a0c3412675e449cc0b11492bd2a53
SHA256 3bc33531a8dde370bbc2d246229df0806140b86f70bb0036fd03c55433ede381
SHA512 e42aa45ad7ba007060f186d48aee7981818925974f08cb24d8a4b1bc4c18d905a30044efd7ffcaa280d3fba31f74f0b5c2a5f923ad58a845192da23617ec9c99

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 02:09

Reported

2024-05-23 02:12

Platform

android-x64-arm64-20240514-en

Max time kernel

95s

Max time network

132s

Command Line

pl.spyone.agent2

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 7dc10aab01eccca1d26ff0ff900f3820
SHA1 6ced820992774652c5048584c274322c4e039e52
SHA256 d2707ed0a6e99af95623e5cdf79342bc05100027cc42fb371ed7402c8a30b2c4
SHA512 3f2164e710e45ef48de4097a3029b1d204271c1bb98f9bc0ff2120c8bf23f347466611caf087404a8a17122c5db73b5d5f17398f1d6f0d4408768633fe95043f

/data/user/0/pl.spyone.agent2/databases/database.db

MD5 0379f2b646309bcd59a19760005dd257
SHA1 9185b00c3401321841b1c7edd10624a13c2dd47f
SHA256 62c0d663334435c7b56f7ef5ee45ef1e1476f9ef39ea6667dd48962eadb0216f
SHA512 387a118af4cd9315a8e5323b7a2b78e5214b0556448cdf6a68335ecda5615dfd0c1ca0313d8b355e8489980635319d90f2b7b25889b1e556c11b7657bc184fe8

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 70ad3cee0bb6e0f810dcb442beed1fc2
SHA1 39d59325d56bfc681be8ee032e4789f7c3291220
SHA256 1ca1feb4bf74bae99920e3d084038ddf42080788760c99bd82269415f68159ee
SHA512 f2dc46eff1221ec75b07d4d77a7b94db6fc8e2829051d8d9abd71cdbb83af4fdbefac56021112fbbc601e33e980c4ffbe42e51fe38cb11cfe057cdc13c1d52e8

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 23846ba76e82b15369714e90e05537eb
SHA1 f403c9cbdc3a11a6043a2f98b5cf5f76ed2bb0b8
SHA256 89bd7a1c9b60f9b13214a34eac35cc80682adf315598d6443b605f3e2106437d
SHA512 f69c1c71bf36b85aa6cf3c437bd1c95773dc049d20d0e2bde2504a546444e6489a5c79d1a897a73f13655991e05134540e7941bd5a93b128f77c1a996fcdf881