Malware Analysis Report

2024-09-09 13:23

Sample ID 240617-qzrhvsxdrq
Target Standoff123.apk
SHA256 7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2
Tags
spynote banker discovery evasion persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7af7345e3aaefd36eebd58b9db18b480f61dc50ce15ecdaad9f9895fa266e1a2

Threat Level: Known bad

The file Standoff123.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion persistence stealth trojan

Spynote family

Spynote payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 13:42

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 13:42

Reported

2024-06-17 14:00

Platform

android-x64-20240611.1-en

Max time kernel

1075s

Max time network

890s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/AxelBolt.net/config17-06-2024.log

MD5 5436c086a66855f015e8fdf75d14fb64
SHA1 e00b87d0b37a27d58a4208f04e029d83676baef2
SHA256 15cc0356a4cd9e6f3ba2192a93f30803c478fc228fa9875bf04d1417c2434380
SHA512 62ecdf2b52d1e08d42fb06bc07cf562e980d23b5abcaeae4ac8b0b162638dafcc1a5f90fd30e0bcdc880411a3f48a758b539b1d064d9d2f480d21684e5b6c509

/storage/emulated/0/AxelBolt.net/config17-06-2024.log

MD5 36051707a130a324d19507e8a9a874cf
SHA1 9fb010961feccd2a76f46b6049db05936892231e
SHA256 648bfbc4d68ae246f843d5810f6b8d734e870d67c163a0a32c5851415a7d3309
SHA512 0d89043d54467908de6f794636ed8d318d6fbd574a78ac0d801d71ff0551d739892b7c1b3d4811b04cd3c69d1a60af978036ba759752859afbf204c6f4075d56

/storage/emulated/0/AxelBolt.net/config17-06-2024.log

MD5 6589d0b625027ba991371a21bc1b11cd
SHA1 6c3708b121007e95d07adab8175e0568008d5d76
SHA256 9147f011bfe2ef7a26a26ee294bef13103aa4f23788a982586fe683b7b50503d
SHA512 ad552d4f75814e0e2c383e9f986bff5b96bd394fdef3e05c7cb28a83d1d4302a7cc546bdd7ca902288286991c4efb0db90cd7712b4cea0ca89a12a43c8626c6b

/storage/emulated/0/AxelBolt.net/config17-06-2024.log

MD5 4cbe6e699ad4069d33a1f70044d3e8d8
SHA1 d59cc1b98ac1473ad0e86dfa6b737e427b4683db
SHA256 e84070738fb0538dbb70facdfd43f3391456590656777822befaf1e91401d3e0
SHA512 788269add44a7c495f387f4682bdb61acafcb9a1f2f48870732620f592f1a88f37718693c05dad8289755a5c92d6c6feff4c9224b4cec300304f5980001ebab8