Malware Analysis Report

2024-10-16 05:19

Sample ID 240702-xyjvysvhmb
Target ready.apk
SHA256 e9e417368fef0aa029cc2b78467f2e00b5b5e522ae4bef0f66c422ac1df0c9d0
Tags
collection credential_access evasion execution persistence spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9e417368fef0aa029cc2b78467f2e00b5b5e522ae4bef0f66c422ac1df0c9d0

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

collection credential_access evasion execution persistence spynote

Spynote family

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 19:15

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 19:15

Reported

2024-07-02 19:21

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

187s

Command Line

bag.brands.until

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

bag.brands.until

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 people-climbing.gl.at.ply.gg udp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 58289ccf28520f001ae0d5e744f12cbc
SHA1 14d6c4ce740676b33f72081d547aa57c73e78f7c
SHA256 f4972706b56ff8fe17c1d86943cb071e3457f2c91adaa8a8703c730e521cd6ec
SHA512 785b398af90bdfbb226bb1015390aa417aacc476a47996848dcf83ddf9b44d175264a162fe517f2bf94e02819789b33b91df7f3f77f39ee778f68693d90fda97

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 fcb99a1529d01d070f37be95c522c71f
SHA1 399b15d14f6e36a85c5427e939d0c7293bcbf7c6
SHA256 19d44d0a2d6eab82954ff65ab6104a2f37990b5b7970bb3800db14f4d40749e6
SHA512 abc55acc711c9e144f0308a5d9137dc27756fa3f00790e2c27f2f06bf50421e1b96af90213e599bf807c903d14bbf29c5e271432b091ba7f3d5fe03b7bd25ca1

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-02 19:15

Reported

2024-07-02 19:21

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

189s

Command Line

bag.brands.until

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

bag.brands.until

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 people-climbing.gl.at.ply.gg udp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 58289ccf28520f001ae0d5e744f12cbc
SHA1 14d6c4ce740676b33f72081d547aa57c73e78f7c
SHA256 f4972706b56ff8fe17c1d86943cb071e3457f2c91adaa8a8703c730e521cd6ec
SHA512 785b398af90bdfbb226bb1015390aa417aacc476a47996848dcf83ddf9b44d175264a162fe517f2bf94e02819789b33b91df7f3f77f39ee778f68693d90fda97

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 47bf4896695dd37839081267ce5bdc7f
SHA1 5a22524c99760b6bedb78a471103b776441d0184
SHA256 6695a9937b4d80e5da880643272faa5aab78d45be90b092fff8a9235a9e65c67
SHA512 d58d5bbc32e115e8a46efdba89dd9df622c439fd9356fb13974279d09fc5eb4b5391be5a376ce91648a0dfb5fae6250b3a799107e4e05a755f496383ba1de146

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 19:15

Reported

2024-07-02 19:21

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

186s

Command Line

bag.brands.until

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

bag.brands.until

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 people-climbing.gl.at.ply.gg udp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp
US 147.185.221.20:54251 people-climbing.gl.at.ply.gg tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 ece45f8623243feea4df6c2fe45b36e1
SHA1 ef24e005271d92ed255e24a40a15d94b0d5f6bd3
SHA256 e011b2d4119782d41972729f76497925f6f503f6b87dbf8363a50d5134ff39a2
SHA512 86e5a142bb1c4607af14414558fca4711e9a043842aef5add7229d2b49a640d43d62383729edd60869f26e2ad28218d48228303e358b56038267d8bdaf6353da

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 9d47dcb880d26f63a10a52c2f3bf7a44
SHA1 c8c18e421e1e37e99db573041e47d18f9a120aee
SHA256 429eba6a2bdf3f1841234cbfdce507c3a8472f51f176c230983f153e8cd1fb83
SHA512 d773ba10ec0a378a87da9af02c0debd0dd9129f5c2ac411a5771c790c980fba05a74236d12b353c1883ff7761978e49d1def346c66138f7b250afeb5ae3cf7fc

/storage/emulated/0/Config/sys/apps/log/log-2024-07-02.txt

MD5 f1988c612d9ffd685804e5a7464d1f46
SHA1 d4ebb77b24e41b1671448b74757564106f2beee1
SHA256 23e07e7e306d67a1fa21310632fe11e8641165ffdde79fe0c3150577a116f9da
SHA512 ab19363986e4aa96bcf7f7c45d12f20e6ca486244081683da5a6f8068a68c8fe30eea845bffe8cab4da531b2f5bc9233670560aac3fd585d2215acae0b7f6596