Malware Analysis Report

2024-09-09 16:29

Sample ID 240609-cm5m3aca7x
Target e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
SHA256 e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8

Threat Level: Shows suspicious behavior

The file e4d7484b888deceefeb17ee346821a0c9d3112dffd5ad57c71f4df7d304580b8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:12

Reported

2024-06-09 02:15

Platform

android-x86-arm-20240603-en

Max time kernel

18s

Max time network

131s

Command Line

pl.spyone.agent2

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 05da30ed43299811ea196b73bbb1ad96
SHA1 d406c049ef2703521ecc384f828ac09813132bec
SHA256 59dc74ef2d215da26e000d92d6a7212f035a3ed32689d07886eea3c19c139d47
SHA512 962bfa6ef56e54516d33e7acd65d2af0ec0d5b38af8f251c6d36ed48842ef4f7de6ac923bdc8ece69d579f285335f66ff14410713bc911166f37d9951380ed37

/data/data/pl.spyone.agent2/databases/database.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/pl.spyone.agent2/databases/database.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/pl.spyone.agent2/databases/database.db-wal

MD5 913832b838dbc1c76b9d2cad94ab7a83
SHA1 cedfd671490d69af7c46a483b7434dd97e8530ff
SHA256 39b4d515f38e69ffdeefd4795ee53046af48e8ac06fd4709e367f5c2119b12bb
SHA512 26ea3a0407533b93d3d9054b7aa7ed5c7078de4777e68d7fdd372a4cd31869b30244a67724d53ae22205818348b94c7bbd79edc26ec349ef85269ec1736fd3aa

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 02:12

Reported

2024-06-09 02:15

Platform

android-x64-20240603-en

Max time kernel

20s

Max time network

131s

Command Line

pl.spyone.agent2

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 353f6fc2a3efe0258e72b092ca9acc08
SHA1 0a10fdaecc7041076ee7d7877d4ba4462b3f7d89
SHA256 9cd16e220348f2f1a0a8a38ce20fc6e7ff0edaa63545bebdfa462a96635b9427
SHA512 54dc9e154ce7e522ccf8a3928c2d6be6cb19bce8fd38f2284d1abafa5022cb43e6bc95ee1d6053614472e8ca452db1864ce7156ef5f081f3a4ae8f18677444d2

/data/data/pl.spyone.agent2/databases/database.db

MD5 dd46d6cae176055d8617ceb3d40f1d96
SHA1 b7a971b5f755f7fd5f9041bb1a0ffb1a74d9dd57
SHA256 c4d2fc19a3c54c2d2cadde804546ce6f62f960865b829ea240026e1ea2706e96
SHA512 54d353f7e746aa3935848cc2f694cd6cfbd1c59b6f56e276b76fad0f0a4c8ea09cd4835be8a8ccd615a7714d3e212a091d93a2b3b835f4ea767c8ba5950a5516

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 c95e63dc191a08ad828f6837e9bb852f
SHA1 deba3a22bf9e173acef14aa64ff0f6f2da66c606
SHA256 2746c73a239ff81348b28571ab1abe8d212e624960c99d374d5c529d71f46601
SHA512 4fa3d0da016bb96b1f3696e711520de11c8289abfed1302b5a69bab3051e3f8bdc3c659077ea5eab7da6ff5247aee78fb258ce676894fb9a6e8fc5124730755b

/data/data/pl.spyone.agent2/databases/database.db-journal

MD5 64a041fd0fdf9dee7c91936e74cdec6b
SHA1 96f232c8a6c10c86f5f53976b5b0e673aa4979ae
SHA256 3ab3996aa5519f8ec341d27969f580b7ae1f96863205e1c06140ce2a35c0434e
SHA512 e35f565d47efc0eaedf393660229752bf0d5da14ff10f8b7764ee61d8f9dda7cee02ff19c686259447b1bc9d4553f2dbe788996a99b68ae39e2112b5557860a9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 02:12

Reported

2024-06-09 02:15

Platform

android-x64-arm64-20240603-en

Max time kernel

20s

Max time network

132s

Command Line

pl.spyone.agent2

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

pl.spyone.agent2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 40b54f23119c2638a1b8824641f60213
SHA1 a8f6c8711f651890eeadcf8389d2f0fa72100b27
SHA256 2a82add04a8af901684005afc7c81621472241db5e49b5bfd11efb0c7c0a6050
SHA512 d8c9238f946253514ddc006d74955bf65cbc239880a5e547e79a79fc0187bad5eebfb16616527429ddfc96a2f82206fa98b9917b8a4002505c4431b213277adf

/data/user/0/pl.spyone.agent2/databases/database.db

MD5 0379f2b646309bcd59a19760005dd257
SHA1 9185b00c3401321841b1c7edd10624a13c2dd47f
SHA256 62c0d663334435c7b56f7ef5ee45ef1e1476f9ef39ea6667dd48962eadb0216f
SHA512 387a118af4cd9315a8e5323b7a2b78e5214b0556448cdf6a68335ecda5615dfd0c1ca0313d8b355e8489980635319d90f2b7b25889b1e556c11b7657bc184fe8

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 d8d7b0cc67fbb8262038acecb1b392d5
SHA1 80385676594ca419f4aff5558e824d4b8fa950b3
SHA256 f54cbf2c1324bccef3b4be2056901f653e0d3c2a603bab16e9c2ca888978bd9b
SHA512 e02b1203a11e5ae38619925f06fd9500d303850245d915995ac1005be7366337366d27b96651c3538ba56242826fd658cbdf85ee18a23d73afc6f27811802ca6

/data/user/0/pl.spyone.agent2/databases/database.db-journal

MD5 25264201cc09405c9bf50052afa2a8e4
SHA1 562b270e62c9ae7b3103393fb8e06bb09454b57d
SHA256 90bd33f5a3f386facf93813d0efc6b6f2952d76a37b78f7d4467556d072c8a9c
SHA512 d218e45ebae966d74c726281bbc9e1ba92405862eca4c1ec518486dfb00d354691bc681c5b6072519d2360c64f8e179553985b89311fcb690f54aa8513660238