Malware Analysis Report

2024-09-09 17:58

Sample ID 240617-pldt6szhle
Target Kavach.apk
SHA256 d7d7472ae765c96d33ec8e6251cddd59d3f93bd8d9be96f7311726e842337e61
Tags
spynote banker discovery evasion impact persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7d7472ae765c96d33ec8e6251cddd59d3f93bd8d9be96f7311726e842337e61

Threat Level: Known bad

The file Kavach.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion impact persistence privilege_escalation

Spynote payload

Spynote family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:24

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:24

Reported

2024-06-17 12:28

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

165s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.213.2:443 tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 755924e0382dd43dd860d5a028275218
SHA1 d127395497111a774a950a846c385e82847ffd63
SHA256 3df8878cf5f5ca270911febb30902c3e2617e71900369e678ec116f0c3bc43cd
SHA512 8e7b445a3b4032eb03f11533303b09fd4d68aae2b1ce92bbf88936b19445966b1828e01c8daff6c02fccd98ecbfee7b8772ff9b1115a49ce85988bad2702c2a3

/storage/emulated/0/service player/config17-06-2024.log

MD5 d1f9565ea890030820602c81afef66ce
SHA1 70d4b464f5dab0fcba175067bacb56f2a8cda9f3
SHA256 f222bf873711503865a2d0f24f67d500df0a3f44527bc5689c66d40e8378ca02
SHA512 745f4ed0e5ac4d82eac2994dd50f2f45b120bccc219fc8bba841889eaa7bed4d149d6eba339dfd12607a482f2ac3d16d5d755f413e74768a7aa77e4fa68264f9

/storage/emulated/0/service player/config17-06-2024.log

MD5 0f9df8597c480ead68dd15615e85c702
SHA1 d9a5356fd26aaddd481739ee2c9e2d2a462133d6
SHA256 4cdd090c6e88789eb0bb9e173073e3e198237576178dda8277e251cb8029c075
SHA512 ac9e4e54b0a684e67a9f2705d5bce9a3166f5ac6b5d531996435c3017991aa38b41e35148ccd22d9a53fb0fe0f3ed21a9382eb063a74fba1c172678130812cca

/storage/emulated/0/service player/config17-06-2024.log

MD5 d9c163734a25348fd7ee944a0c0f37aa
SHA1 f3fe3798aea7591d3e3b98fa2fe09a6791529a1f
SHA256 1b18ab28a9a35971e7d09af25fe5ad010bc3ad95c2a45af9184b3cb6c889bea7
SHA512 ff3826ecbbadeb34f67170b4da9960b96b88df338fe8554cf7902faef84f4e5cb890e74f015127060d39798ba958166629c9cea9697879c5efc58994025f80c8

/storage/emulated/0/service player/config17-06-2024.log

MD5 3b7affd49b5f6bcd1f0621ce27e00ea0
SHA1 c5ef74d01ef22acd260f3c603bbbadc70475ae70
SHA256 980f1b5f45ca32ac5595761ad7307ca9747db8fa96f58ecb4f1a4bed88fc7144
SHA512 3ddd2b38e08bfbc80fd591f8a93cfe9d474ee444b8c146834c3967b35b9c0db9867f287b2a654c09770ad5fa4f67a6ad26ffb2418943daecaf2a5ef805129470

/storage/emulated/0/service player/config17-06-2024.log

MD5 973199445e24854edfea03d483d564fa
SHA1 05f205467f05e77c2562470d5e196a74939f5e81
SHA256 6608a72170deae61e935fbacfb8631cd28a057771d44f95b75e719772eea2d62
SHA512 438ac260f603611c18740e6c93f19a30b5cc26784bd65d0478d9c7be0f8ca43498c15a7bc58cc20a078997351b6d979285ea536901f9e86cf0ed611fe5081b75

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 12:24

Reported

2024-06-17 12:28

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

133s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.200.42:443 remoteprovisioning.googleapis.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.180.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.180.3:443 udp
GB 172.217.169.36:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.195:443 tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 755924e0382dd43dd860d5a028275218
SHA1 d127395497111a774a950a846c385e82847ffd63
SHA256 3df8878cf5f5ca270911febb30902c3e2617e71900369e678ec116f0c3bc43cd
SHA512 8e7b445a3b4032eb03f11533303b09fd4d68aae2b1ce92bbf88936b19445966b1828e01c8daff6c02fccd98ecbfee7b8772ff9b1115a49ce85988bad2702c2a3

/storage/emulated/0/service player/config17-06-2024.log

MD5 1be852e57a5184e2df9d6897f02bac2f
SHA1 b2e611797d59f4e7beb5cf4ece353a0954584591
SHA256 2fbbaad27a32f675d7a51d6adc2b32015b4c703e7b13be772250c1df3bc84710
SHA512 177ca8472080f1e9e3bd1dddf0d438602d45f78387f7c6d0b707b737d829c3e649e2ff5e62f537d92b6088b0652aacfb7dfbbc6c4d0f156e95baa4953a646d96

/storage/emulated/0/service player/config17-06-2024.log

MD5 be8931efc4ffa7f9839df2c65f3af877
SHA1 aba92af726b93e9b8201fdadfe37d6eb3c61f724
SHA256 e4b8b17a96dbb627ab7a49d47b2eb4a6bd9c76f7536b139c4b065bf61a0ee6dd
SHA512 c77602771f93b1f73ff65859f68317d2cc59fad8e8ffeaf6f6cbc8b6e5f76e372c77cf3292749e99976a8cb6e334fc9504c56d5f1c151257be8050b61fd1ab94

/storage/emulated/0/service player/config17-06-2024.log

MD5 81f27c5ecd1fe23277f6a4e41bd8179a
SHA1 43a3a40d4d1bc519267904bf1bd336c73a7b1bd2
SHA256 81a913e01cdb50f35345d5e603e6fc153bb37a1105fbc3eee5440adaf7400713
SHA512 a445ebd941f117980488b7ab1e5f88c30d8bcca08a8b057b3342367d19600f2086ef2195b730c4d6caaadf60f908b92199e5150b284e10deed9b708f7e712096

/storage/emulated/0/service player/config17-06-2024.log

MD5 973199445e24854edfea03d483d564fa
SHA1 05f205467f05e77c2562470d5e196a74939f5e81
SHA256 6608a72170deae61e935fbacfb8631cd28a057771d44f95b75e719772eea2d62
SHA512 438ac260f603611c18740e6c93f19a30b5cc26784bd65d0478d9c7be0f8ca43498c15a7bc58cc20a078997351b6d979285ea536901f9e86cf0ed611fe5081b75

/storage/emulated/0/service player/config17-06-2024.log

MD5 dc98c81fdb615fa21bae37f7aa656c19
SHA1 37ae244b854f09cb5a264bcd697cbc7ba6d6c951
SHA256 9116af032a6de1975ac84c190da643c2cfb275f7d7f96b45ebd990ab884a1885
SHA512 b3d923bc783793bb513f3f11767ec742e1893f51b13a24c66bb43aff44e483ec9b312ad792bae01b0f59a731112e65a2a9db70b587367ca809a89c51971f4f8b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 12:24

Reported

2024-06-17 12:28

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

130s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 9a10ae864e5a2117b0710dc1f5889c3f
SHA1 906471a72785dff40ca4a82acda096e028dd7071
SHA256 6f8c850bf2de1c4877185434714d428cf58cbf03b19545b69ed0469cef8f5831
SHA512 93e1f2a7ace84afb30f040050ea9a5d6df98447028c84272cbcc26f5307fc60bcb522adca82130812dbf45fe6ed8720145010c3543589f43b2d99ffb52de7971

/storage/emulated/0/service player/config17-06-2024.log

MD5 53a5994e28f66e087b57b44503b8ca4b
SHA1 6a2f563e2194e797d217c779e02a83668d031e68
SHA256 6bbf4a482b3ccc67c0ad4075c7465203d5c417b741f31ecf52406da6d91f32c5
SHA512 c1890e774158cf2a58a2ba21beb926b7fae55d7f8ea64108b93b75c212d73429684d699f136711651b38153608529eab1dfc48fe8d874a08a186a05bc5b6310d

/storage/emulated/0/service player/config17-06-2024.log

MD5 4a356a199f0118b973ac9a455984614a
SHA1 4f0bb8d156e59cea635e3133f7c69a80b62f7f94
SHA256 f1e1296f9f4ba6528a486dafb1d381466398206a929d23d729035ac76d51416b
SHA512 eb326d3c2155579efdfd1f681ffae2d5c0ad1e7588e1d741ae3f2d8984621a870497fffecb239e1f06501d6101f92cce3659f748518509a14bacdce04cb3cd1e

/storage/emulated/0/service player/config17-06-2024.log

MD5 1eb45aed76dbdacb3e1d6494c245c2a0
SHA1 345c8023f2d1e4128063a7964d7c366dd5ba430b
SHA256 e7e34f872740199c4757d07857745abe06087b4b7383aba2fd8598a0b397414f
SHA512 6173aeffacf11a4130028c15ebe9879c5bcf76a46e37205752f6cbebf61501d26f4492a178a79a8eec7b40f094dd6050a190931851d79db87f9f06972f6599cd

/storage/emulated/0/service player/config17-06-2024.log

MD5 7e46dfbd60dae170e80369842cd9a519
SHA1 a5365d6ce3d59fac8ff3cb2c123e4cac62531320
SHA256 17247d3d76e2b5dd9488a52046a03e6cae8f444da385851dee8a8f12884a82a4
SHA512 c7c7b3a6d5b40c4cbda104b386689796ef252659a2fed9d66615b46f1231e577b07eb7ef0bf258d7bb4c44cb8436cb0df85f9a8ececbf9301a88a0d477d4364d

/storage/emulated/0/service player/config17-06-2024.log

MD5 09ef1bc3589ed27c2263ed27b772f5ab
SHA1 ab8f589d90c1e16261769665613085f65035e0dc
SHA256 6a0192f31538cf9ee3bf087d11017dc6b6c2c173208f177f5d2645737b1c005b
SHA512 f9f48d58331cbf6f20b7a83291dde342b6985d3729b13b0e09f18de0be8d277479ff5c2c67a439934be87d51fb31d320632cc2c2ba56f87cb14a6ab4857681d1