Malware Analysis Report

2024-09-09 19:06

Sample ID 240617-pmn2javcqn
Target WhatsApp.apk
SHA256 8a91bf9ba1250e5f0977384101f5ff3c1d7dc121e7ed304e2580bac1082b7d61
Tags
spynote banker discovery evasion persistence impact privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a91bf9ba1250e5f0977384101f5ff3c1d7dc121e7ed304e2580bac1082b7d61

Threat Level: Known bad

The file WhatsApp.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion persistence impact privilege_escalation

Spynote payload

Spynote family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:26

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:26

Reported

2024-06-17 12:30

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

150s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 c75ecdc9e8b8da90ed47fa4cd2858f63
SHA1 ea66eebc03f74f4852175734f4e6ce66ac4319ff
SHA256 cabb5b1ce2c94bd29fa710bd48ad96d97cf2fe90acbc8d40eb4c3b17c94d98e9
SHA512 1b9d3a50ed11b85ab029e52d7057d08b316fa68909b2cf11f832fb5d42d46687bcfac86e4b2f148832906efb7c822b0a3484129804f75a72a93525d4900f697a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 12:26

Reported

2024-06-17 12:30

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
US 172.64.41.3:443 udp
GB 172.217.16.227:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 dd0429a2a11874170f62282b53815913
SHA1 3ba81fa2b856dc78cf94e014f939eb8b8e2964ae
SHA256 0eaa454e8ed380f1ec2aac5ee85b33dd281c51a29d23dd3ec25df3569beab4f4
SHA512 ec0115ee1621745d6bf83dbab3c1737b54aa98db1efb4876fae9c76dd731db5c6e45a68c4a6fe4ebbf17a6184829029a4cec947b392db7a4a02d98c973358b61

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 12:26

Reported

2024-06-17 12:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

156s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.187.226:443 tcp
GB 172.217.16.238:443 tcp

Files

/storage/emulated/0/service player/config17-06-2024.log

MD5 43dce59bc069e6a7674bb60cf0e51025
SHA1 bea3cf820d5fa5647d45823833659c7d11bfe10c
SHA256 41f7ad895385baa9150d5efb4a6109b4f1d44546bd65ed53d3e535ec3846c06f
SHA512 c6d8a4faa51d902bf60754dda257c199a73a28d438e84aa7272a2c2884a0b4bcc9446108107520a321ae4000598245e9636ac3be924c55cd254f0ced77fcea6d

/storage/emulated/0/service player/config17-06-2024.log

MD5 13de3a6c342dfca4b3d485af4c017f38
SHA1 10c617a6c3384b64fb219b0d12dea1f17145796e
SHA256 92af9bc332631c6b309c8b32197fe7f174a7f74be717879502e750152b300fe9
SHA512 b961f5a3acb24bdfc0219212653e2b031cb3e9061afcc9632216a4b28d847264ecbf3ea8034d05e30d49e19483f08c57773cd7c3a92b5e926c546f2e3d2be4ec

/storage/emulated/0/service player/config17-06-2024.log

MD5 7f365673c96bb74f26aaf7fece4e11f7
SHA1 fd7b95a3d01ea0e113abead5c7ccc186b7d26d47
SHA256 a9d338adb9f76a421e0810dd7e2d99d7cfbf8229a95c1837fa1defd713f4834d
SHA512 8447d4139a57f4c6f6f39b5e3ed504fbc03aabee99fff65bdf10c5e433aefd3e15e55dab6e63fb7a9a7f51c104df5cddeae24b25cdf519cfaaf4fca4c1c6b281

/storage/emulated/0/service player/config17-06-2024.log

MD5 c75ecdc9e8b8da90ed47fa4cd2858f63
SHA1 ea66eebc03f74f4852175734f4e6ce66ac4319ff
SHA256 cabb5b1ce2c94bd29fa710bd48ad96d97cf2fe90acbc8d40eb4c3b17c94d98e9
SHA512 1b9d3a50ed11b85ab029e52d7057d08b316fa68909b2cf11f832fb5d42d46687bcfac86e4b2f148832906efb7c822b0a3484129804f75a72a93525d4900f697a

/storage/emulated/0/service player/config17-06-2024.log

MD5 ead7bdd10e0455eb7ac727093466d429
SHA1 b046cb9c05517d71a2f3286d367a5b11d54b4e41
SHA256 03e8bd551424502a218fc56b5aada48f0e7fce52b0e936f1d380bf2528b2ffa0
SHA512 fcb35585847f0a6eba10bb8f7cdf23c54b669c38a286afda1d0541847c6437aa038c058cdc367e4911d6a2fe4d8916093e2cc82239168dc4de522f0fa1241dbb

/storage/emulated/0/service player/config17-06-2024.log

MD5 89f3a783146e0e29a046b4b5288cd8ca
SHA1 0daeede8419cd6de8562f05ff2d9d02e532d7a56
SHA256 bf188f9041f48f6fc4ece64d26c2bb2753ec9640b9da9b1614ee1b952ed7c388
SHA512 6c802fd30280da6d2b20294c9357caf48de4111a9eb4c18de5e50c75388d3ff12bb3dc956defd157e89e56f4c9553eeb916bfcd7005cae2aa6376cf6935ac39b