Malware Analysis Report

2024-10-16 05:14

Sample ID 240715-pm8e6stend
Target FluxusGoldV7.5.apk
SHA256 f24ebec71b9e605edd8713ec457963f09ea7c64b289251d2f02e9b5134213c43
Tags
spynote collection credential_access evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f24ebec71b9e605edd8713ec457963f09ea7c64b289251d2f02e9b5134213c43

Threat Level: Known bad

The file FluxusGoldV7.5.apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access evasion execution persistence

Spynote family

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 12:27

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 12:27

Reported

2024-07-15 12:31

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

169s

Command Line

adam.dying.parenting

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

adam.dying.parenting

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
N/A 192.168.1.10:7771 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
N/A 192.168.1.10:7771 tcp
N/A 192.168.1.10:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-07-15.txt

MD5 29c860eaf6f36678345f0a9f6b9cc0d9
SHA1 7ffbfbc250be31fd70760cb9f0536e6e4f45c6ef
SHA256 a1ea0cecec3d74e34e9874060753be7786995c8cc62e1daa420f930122f43eec
SHA512 290f920dbee3dd59bd258ec398f0816ee24a620392ce8deaad0e6d1eaa1208f891393522d8125aea4aef9163f9011a02b3463e2d41a4e24bde065fcbad57ed20

/storage/emulated/0/Config/sys/apps/log/log-2024-07-15.txt

MD5 b9b530e2448252311640bbecb69b796a
SHA1 215ede46fb42a68a7ae84c3019acb3019668a46c
SHA256 5a290151305de1ec4f790cd8ada8bd68c076a2c4ed497c40a519509659b65150
SHA512 5834499307946d130887067b2f837ddfef7fdfe3a7e5ed8977eb14c2dc1ab328334da35ed4c978e20b3e6b28ff30dbd12f0430f4b7c831481f339d360c260919

/storage/emulated/0/Config/sys/apps/log/log-2024-07-15.txt

MD5 40fcf48a4ecdb632240619eb756772ce
SHA1 83706b0dcc3ff8032962dcd0d73a36ba65dd6f30
SHA256 d153cc76e9f7a12c26dbe0d197285a77fc8efeed1b1f3d35c25ba386711b5c80
SHA512 4757ed0904a24ed77c8c2dca9be96f084cebc54a93c43eb0eb27545aba7e58916abb0b639254d90ebffea1e760b85d0a0fe53ada28194734748116475dd9829b

/storage/emulated/0/Config/sys/apps/log/log-2024-07-15.txt

MD5 a9ec0c42a43c72d73c499e5c17ccbb8b
SHA1 731652fbfe61eac3fdb4b9d3e2eaa010848a0906
SHA256 6c5309ce3f31c9af3288b0de3305b7f5ddee97be60ca4ac1184f3c334480c05b
SHA512 5f8ed24a51f68cfa0627aceb9190d3a7febaee61bd5a89898ab113ddaa7ce2a41f129a28c4e200d5e5e4ddff7a483abc0393dc38e870782caf1c46d2ec0df2e3

/storage/emulated/0/Config/sys/apps/log/log-2024-07-15.txt

MD5 365f074d64faad2f0f0c7784608e5b57
SHA1 2105b80d01621cbd370bec93f73709a7b67d565b
SHA256 0c4662ed55fc03738e7903864ed0249c921b8f2d858531577eebd53501237cc4
SHA512 d29b5c16d10a78b386ba1f4882f7e80bc6d41887671abe6a36c746b015ea280d4a26f3d2af323b4ad755c256e5851a5b95d0bda8882c6c0a2c125bc748fab47a