Malware Analysis Report

2024-09-09 19:06

Sample ID 240617-l75m8szfjr
Target client.apk
SHA256 84592974fec5ac1c1f28f516700ac0ea5065a602389c44b2015b69e1af6a7579
Tags
spynote banker discovery evasion impact persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84592974fec5ac1c1f28f516700ac0ea5065a602389c44b2015b69e1af6a7579

Threat Level: Known bad

The file client.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion impact persistence privilege_escalation

Spynote payload

Spynote family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Tries to add a device administrator.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 10:11

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 10:11

Reported

2024-06-17 10:12

Platform

android-x86-arm-20240611.1-en

Max time kernel

57s

Max time network

42s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Internet/config17-06-2024.log

MD5 0eb56bc064b9aa7dceda08848e65257b
SHA1 aeb751fca41216417ed215d8db8a4df049ab3d51
SHA256 31404da0f14599ee4d9d9e7888914b39ae4eb036568156e9392e6c03093be601
SHA512 24747814723a19967297097db8773231e4adb23d31f2f75fdcbb7f3b078a336916ef442bda19f91400928912d99a93debac0aca3b9943743c03dc35e1db5f1de

/storage/emulated/0/Internet/config17-06-2024.log

MD5 f607e467dd1cb57c4c6fcefa719c80ea
SHA1 3bc0a66cbf842078874341a1228b6d04aa50dc75
SHA256 7b5f4d3695a0e25628f9c1671c5b402ee2ec939f220cb0a8773544cf51621041
SHA512 53b9c4cafeab6752fa71bf45f5079e97aab6369cb4319f53933d4f7726bbb7a1c54a1c1bbf758533fca4f3494b180bf8471485238121f8e052f9169763c720e1

/storage/emulated/0/Internet/config17-06-2024.log

MD5 00dd6a2f353ebdbdd5d79f0c47e63f56
SHA1 a854b9512c01a44b54d7e45e95886d2ed3a597bb
SHA256 2e8d740875b96b8651ea4084ca8b8c9960a47e39e2391f0a1f7ae5f4ca5e5be3
SHA512 955b89892b243f01a524862bda34262d08957a64b62f09e199ad3d2a9ec1493862bef1ef781b8ddbbbb2903a00bc194ac425b579b8679e8cdd6b218cadaa70a7