Malware Analysis Report

2024-09-09 13:34

Sample ID 240615-r4z68syamj
Target Standoff123.apk
SHA256 7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2
Tags
spynote banker discovery evasion impact persistence privilege_escalation stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2

Threat Level: Known bad

The file Standoff123.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion impact persistence privilege_escalation stealth trojan

Spynote family

Spynote payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Tries to add a device administrator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 14:45

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 14:45

Reported

2024-06-15 14:48

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

185s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.234:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
BE 173.194.76.188:5228 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 case-enclosed.gl.at.ply.gg udp
US 147.185.221.20:23165 case-enclosed.gl.at.ply.gg tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 case-enclosed.gl.at.ply.gg udp
US 147.185.221.20:23165 case-enclosed.gl.at.ply.gg tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
US 147.185.221.20:23165 case-enclosed.gl.at.ply.gg tcp
US 147.185.221.20:23165 case-enclosed.gl.at.ply.gg tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 14:45

Reported

2024-06-15 14:48

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.2:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp

Files

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 b10526c010ae2567fc24576699660359
SHA1 a886284b17f5f0a69499aa8514399d663633846c
SHA256 19af508c72da4439c23d37531ae5204229cd8f69d0e099b6d3dc548af4e0cd4f
SHA512 e7ecdf394b9800ff00284dc1e15633f509d5e1fb81104ba6ef1894d2b469563b03099f39d7871a974f8ccb758f38760fac31253a026bab9c2febd3a4562abc96

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 a2a5df98716e4000670c1d6d759a0259
SHA1 c0de0ebc333126c469bb52a2fa48eaf1098c34e6
SHA256 64cce02b72c483586ff17197082a35e529103217395c8f13bea75469b43b8d98
SHA512 f33ae88697aa5e3e0c305e8ea75850afb257d58bd862830bb590be959068ae7aa4afb12d317146f410fac96d509a9c06bb420ba86d28e26c6920818dccdb55eb

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 e18552e5905187b44bb7e5d961add1e4
SHA1 4e09d6ef0779cdff7134518b97eb9424ff1e1a85
SHA256 5d43c19734390596133d64e3f59a4d7ae11348b2372c66052a136bd662d40fae
SHA512 1e55077255d41a2006c95e3764e5c5b7fb8d0354602d9a6b8f047a58c9207256633eaa3fdb1491449bbe3fda5147586a2ef4966228f71d27ac2bf6b9eb30be0c

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 2276fb65b740b90147717e4036c11c7a
SHA1 447358e0fcd9c1d201e400a6bb02e0b0be924af8
SHA256 753658f8c917c5e53f101c5a34be556be184c00789e1dfa91d1ad8508461d74e
SHA512 2c9942cd8a1a6c78eee3b43a3ff8d1d21b0355efcaddd47185c993f22a6ef7aa44bf0d528af7e71d176cca9301f76979ce3fcfaf575fc87d1ecbae97fc577748

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 0bd44878b893849cfe0ed7c9737da076
SHA1 760b3fcc6dbb7a729334ed86123cbd905cbeefb0
SHA256 ab1e0dd7e38169f2afa9136384521b40b119519998f4656e3a662f6fc5c507b1
SHA512 632807a9759bc74461ac672ebd848958daa102b0c4cf7a5ebdfa75e7e0375e8acaab368b06f7de77f471b6c46572f407eb6eba59ff5011d2825837ce29da012a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 14:45

Reported

2024-06-15 14:48

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

174s

Max time network

133s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.35:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.35:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 b10526c010ae2567fc24576699660359
SHA1 a886284b17f5f0a69499aa8514399d663633846c
SHA256 19af508c72da4439c23d37531ae5204229cd8f69d0e099b6d3dc548af4e0cd4f
SHA512 e7ecdf394b9800ff00284dc1e15633f509d5e1fb81104ba6ef1894d2b469563b03099f39d7871a974f8ccb758f38760fac31253a026bab9c2febd3a4562abc96

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 32c153e4cf742631e6b519f0fd9e25b5
SHA1 d4ebfb102940362537fc05d1b95c6fd0f7708c7e
SHA256 dcca8a5976b71190065f929e8adf393b32ea9925f107e8bac03b6ceacdb923e1
SHA512 7df7f49978b02d5a7951ac3bd531e8c89795fbc6f1f3f41d6dd14add4fd58a08e0b3700100e81ed08f9cb23dcdde525dab2cf2f001fdce7a7c3458be3f978768

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 e18552e5905187b44bb7e5d961add1e4
SHA1 4e09d6ef0779cdff7134518b97eb9424ff1e1a85
SHA256 5d43c19734390596133d64e3f59a4d7ae11348b2372c66052a136bd662d40fae
SHA512 1e55077255d41a2006c95e3764e5c5b7fb8d0354602d9a6b8f047a58c9207256633eaa3fdb1491449bbe3fda5147586a2ef4966228f71d27ac2bf6b9eb30be0c

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 2276fb65b740b90147717e4036c11c7a
SHA1 447358e0fcd9c1d201e400a6bb02e0b0be924af8
SHA256 753658f8c917c5e53f101c5a34be556be184c00789e1dfa91d1ad8508461d74e
SHA512 2c9942cd8a1a6c78eee3b43a3ff8d1d21b0355efcaddd47185c993f22a6ef7aa44bf0d528af7e71d176cca9301f76979ce3fcfaf575fc87d1ecbae97fc577748

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 d435766589e1d570c96aa3fcc7c09d7d
SHA1 57df31c03eb89ee3adbaccccf6f4eded217e7981
SHA256 fcc6757d345e863456f79c647975e5b1aa751aa1685dad1a2309ccf0933cf56e
SHA512 0a35bf9cf4ffd1300149b7d2fe930888ceaaea0e794772110e79d0ae27b6de4f24eccb35b38b91d32f14b198574ecd4f6e6c30ae0953d711347e93b9af138a69

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 14:45

Reported

2024-06-15 14:48

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

182s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 74e03a7aa43f500ae1d1dd710004c0d8
SHA1 b2ab9c889c97a7f24d01fcca229083467c2942f2
SHA256 084925886979b19aae17b6740db3b381efdb7162de8925c2f6e3e28d5f34570b
SHA512 55bd217fabb338dc5b0b351c5c28650f555a462f9362222e22a978a4e300f4d7cb77c14e1788ff9a9b52eac2d8558f831a0aa9bf0a34d9a55fb19e1eed5803c0

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 25213e32a1baea8dc990b889c8b927d2
SHA1 3bba41a5c9069776178d903ba1ee0623291c620f
SHA256 e75d2b1a25b3bf41aee7d264b142d14a7bcf4f6d4f6df57180ee114b8c23b16b
SHA512 69312b22c4348200a7d6d8f7abe9bd33527186bb196e4ad836446a2828a7a02808eafbe99cae2b36b203e2af16ebc1be0d45a1467a0e96154eaf00dfa6644c33

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 bbd41d2062af3fe5e778bda3ec03383d
SHA1 e55f812403b558bac61e679c7cc4cf598422e12d
SHA256 1fe391a5624117ca71ac08069ad404226ac84af59274500dbd2ad7210a20233b
SHA512 05c8e5ee608b522098d82d6f4d3552b022bdc788fce19044a16db8853b14c76fbaa38c01e81251a2af9b6c1a0af8e6d070748b81916e586b753475d19d1b70f2

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 1e452e1a2c1003efaa013e655f7d29c4
SHA1 caeb2d25ce0b4aa333ff28ceab0b2b9ab4497360
SHA256 ffc801d3868b978b70a44406d0af5ab24bdeaf97a59be447691709d09cfb63f1
SHA512 a2067f5a559d08f76603ba78be9e915d32b92712187c8ba33273e60d7d87825ea5f63640f2d8e2c4e1dbb05042e70e44d33615cb30427d49528e2daf343a3ca3

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 023e6972bec4430933592b36c015237c
SHA1 5901079d06f86089733e52839c475cc5164dc59d
SHA256 3bb151261ffd91b97b8d8cc6bebf84b1c58b4868bb184d375208afb0834d0aba
SHA512 1bcd65033b235932833e2ac59a0ddff9e8b58ee1f2b09c79b558021865c849f662697c9f2ce2cfaf5ad2000c15f0e4e22ec566b8388ca0418b47b02154613346