Malware Analysis Report

2024-09-09 13:32

Sample ID 240615-r764ysvakg
Target Standoff123.apk
SHA256 7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2
Tags
spynote banker discovery evasion persistence stealth trojan impact privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2

Threat Level: Known bad

The file Standoff123.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion persistence stealth trojan impact privilege_escalation

Spynote payload

Spynote family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Tries to add a device administrator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 14:51

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 14:51

Reported

2024-06-15 14:54

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

149s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 8e8b967fb0331044fb2ad50d32be4b07
SHA1 6ab0ee7181c0ef14eabe32ee3ab054fa0dace109
SHA256 26662578cc15746f28292c8f6f4c0084e817d762523ebc772b92bd17e8d4a8ba
SHA512 c2578a05cbe7a9fd64b414a528174a68716fe449ac4846e6101af6ee95b782009d4643f0c08c3f87248e9462bfc3a28464f5f529d5d6aa8c61c7fbdb78937623

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 e1c626d0ed186c6c1a86ae46a20c877a
SHA1 1137b6dd50922c3098cd06650568803c2f91160b
SHA256 2cf5797456751260b97f0badb4002f7f57df37c5139c91791c438d995ac0442f
SHA512 c0c8ba814e76fadeec66b23aadbf9702460b505c0ee83570ca3496fba9c4811eb2b98f39c5cacffd1ed75a4bd172d945dbd5c9070d68cebe40c71a19c5fb9835

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 7374d01b39aec39a461d7826cbed78f8
SHA1 78a11331ece950118b99f571dac8273b83af8312
SHA256 a8cc8d977b6def22e0828a6d0b9a6058c7d9336ed64ba6093c21ab3fbfc13d55
SHA512 4d019b7f903433f7546fd0803a772f97f70a7794fbfc980cf475e7250e33c312aabe53a59586f368e4ecef67a908d478bec88bc51435ddf4bfd34c03c046f85e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 14:51

Reported

2024-06-15 14:54

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

133s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 cdd76e9adbcb74a0afe6ed861e62fd03
SHA1 ca4aaebb5aee89c9b59a396525a124868e6d8033
SHA256 625da35bc2b519dbfbdc1197e30bfb1e7125630f01b1bf7e5705be27ca38e43a
SHA512 412b2c737a5fff70cf5f693d4be9704db9e30c047b15fb68798c8400ba5472d2093bcdb15558b70be510d93132231fba7ff9a2da1454f29986620d04f459b429

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 ea21e61c64e6543d63b56f3687e4b339
SHA1 d90e69f6eb412b60ff1c6326ad48c48bd313362b
SHA256 f84a54fe1ccc13df603ff66b0c7db274c737e3c1ae672fb698454023fd9b9526
SHA512 73bf01dc38930887084adfd2dfd0cad509321f203ac4f7f2cd225e3e488b37d30b3ce1c787c21e9e8e472b1d64f4145760f81710f180f4cfbd8f3dfafd5b0d53

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 7374d01b39aec39a461d7826cbed78f8
SHA1 78a11331ece950118b99f571dac8273b83af8312
SHA256 a8cc8d977b6def22e0828a6d0b9a6058c7d9336ed64ba6093c21ab3fbfc13d55
SHA512 4d019b7f903433f7546fd0803a772f97f70a7794fbfc980cf475e7250e33c312aabe53a59586f368e4ecef67a908d478bec88bc51435ddf4bfd34c03c046f85e

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 850aca27be844b4d8696b87348ac9c3a
SHA1 953cc43f80b25192e3bf440842c6e65c6c61af57
SHA256 3e219742ae0669b211b9ab7884318d336e86a1497fd70ff28ee7fa6440e96110
SHA512 5857a9b2838ffae229a9db373bbcf0670260716615965d199929a5ed56579fa66d214bd4bfe6eee8d0530f2eda5831d92f9127f3dae60af5a2a9b69796789140

/storage/emulated/0/AxelBolt.net/config15-06-2024.log

MD5 0aec55745d100df984222ae2526f7e9c
SHA1 3d49caf7be0a691914cf6f9070ecb9b7ca41a3a2
SHA256 4cd8426dc05976251291d9ca742f4fdd40617823c2e3808715d5c5ac95e6c63d
SHA512 c542d93e3f2c6822dc3f0cc54b5557f0ea226de8d52e4d522ec1b0c9efc798b11f4e5bdf217b918b2313a38d025ca14a76c289f0d71800a8324ab482912cfa6e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 14:51

Reported

2024-06-15 14:54

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

133s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
BE 142.250.110.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
US 172.64.41.3:443 udp
GB 172.217.16.227:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 14:51

Reported

2024-06-15 14:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

131s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

N/A