Malware Analysis Report

2024-10-16 05:16

Sample ID 240716-f387zazcle
Target client.apk
SHA256 27f1f8cc100a1ba695fde052046686f5e79ff007fbfae8aa4ef1d31e2805eea7
Tags
spynote banker discovery evasion impact persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f1f8cc100a1ba695fde052046686f5e79ff007fbfae8aa4ef1d31e2805eea7

Threat Level: Known bad

The file client.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion impact persistence privilege_escalation

Spynote family

Spynote payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Tries to add a device administrator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 05:25

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 05:25

Reported

2024-07-16 05:31

Platform

android-x86-arm-20240624-en

Max time kernel

328s

Max time network

327s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.227:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp

Files

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 20b9a47ae8c60461ac11cd496442b260
SHA1 766fe0649fbb3eed4ebecaa02629c72ff2fb247f
SHA256 6e1228e57d6c2872ddebdeea2decd90648c9a10eeb108de92735e92db02f88a1
SHA512 d58812643c753b62dde9d60aad97cd11425e4d9dfc0c164a35a572d26a994b3e5aca3a0774b13a3347cf17fd0cf41b3ed44e5de39ad4d239f63efc1e50a0445e

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 4416e2aad26d1c4f2555b94ece8ddbaa
SHA1 5010ac49af7678430da30b591d3a16d61e3d3c1f
SHA256 801a049e760a4175a5507693400c03210c72ff0cad51d0cc36944ac22c5624dc
SHA512 0c9708b726bf31cc5ee359c8aeca1d68c07b1445e0717705d179cb82221128ccbca37ab7bf7f973776cb3486c5b51921852e0bb949be4afecf02db55bd791c9e

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 033cdaec71e1897916ef07ff550bcd39
SHA1 d0e2764ec469f0b7315bd7a90bc40a4841cf09ff
SHA256 2257349d3269433493682b054ad9f6ac72e566578a4190f3f93876441045c9f7
SHA512 bfb9725bd0dcd720e948566ca9c72bc2f474b17a598de1601fd16685320d690b8a6cbe073ff7dc29c244c2dee1ffd693fbcebb0c9ce3fbe1dcebe080e06867e1

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 8ec3c062fb66fb39105e0d17d6da6491
SHA1 ae8fce25f8bc302b66d570972d02ba2bfaf6a172
SHA256 824100ce15d16d806d7680d2b4e9fec94bf2a6f396cc274af3f9eafd469b1928
SHA512 a48d92d09648bb2c0daf042a3c2124d25b42f0790024fedcdd8da321a193b31e9194a38bd78a075504138167a46f8eda082e9f64968fcb569e947fda14adbfb7

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 928e18d6f4fd166274bf6db07cd1d2f7
SHA1 758087b1b806781c3ebb15aed4300945b352519c
SHA256 837bd775cc37d7e4da4f52f92856efd2c5df55d507ea3a44ab938ebe43de3d69
SHA512 ad1dd6415cd51dba848b4f2244cadc853f5684c380ecdbb38e1dc4fddf9c95ced9789ebe5b70502ffcfcc91df9ef85d19cf7d019d14bb630738607bbad1ed579

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 3d7081bc2bfb3707a8be6efc06523b5f
SHA1 47f7615159ad999d20fb3081b6a9e7b120913129
SHA256 46a0d6777e03ffc0b127d394f3c2d6f9cfc060996b2ee47ec4de0219bcbb12f6
SHA512 c4c035bf6894e0eeee01c6dd34f28bd572820f2f0dfc36affdc2f61f2e2d004a124e47372623f4e4c20fd3ccda18b7037c4898e769d6c0af5505fee7aff3b95a

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 05:25

Reported

2024-07-16 05:30

Platform

android-x64-20240624-en

Max time kernel

5s

Max time network

337s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
BE 108.177.15.188:5228 tcp
US 216.239.34.223:443 tcp
GB 142.250.179.238:443 tcp
US 216.239.34.223:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 connection-arizona.gl.at.ply.gg udp
US 147.185.221.20:65211 connection-arizona.gl.at.ply.gg tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.20:65211 connection-arizona.gl.at.ply.gg tcp
GB 216.58.212.202:443 g.tenor.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.202:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.200.42:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 142.250.179.234:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 216.58.201.97:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.200.42:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.42:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 172.217.16.246:443 i.ytimg.com udp
GB 172.217.16.246:443 i.ytimg.com tcp
GB 172.217.16.246:443 i.ytimg.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 connection-arizona.gl.at.ply.gg udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 connection-arizona.gl.at.ply.gg udp
US 147.185.221.20:65211 connection-arizona.gl.at.ply.gg tcp
US 147.185.221.20:65211 connection-arizona.gl.at.ply.gg tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-16 05:25

Reported

2024-07-16 05:31

Platform

android-x64-arm64-20240624-en

Max time kernel

328s

Max time network

332s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 d04e8ef949186cf891406a9595d979e0
SHA1 e27bd3562a28de5e323d357bbcd580d0ef7f82f8
SHA256 286a2421351be434d1692239e4a7d616c525b76ca67f11304f266cee6b4816b9
SHA512 e7bd1b8fffe6a85666939359acb6c665921388ba99c964cba521d2976d17589e31c25ed56005470b81d9be6d9a89e983a4b1ab365a27f9e1aef6c577b55031bf

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 85f2032120c3ab207cf500e009194e20
SHA1 76d932e9e6f0b1a3d24ab9cf5e3270e3cba26845
SHA256 ba65eb84048a2b4ce21d556b9873deb3cca95bbc8707c6da48d63984dee8a249
SHA512 42437a5918d73b0b902d1b559a03fdcb0c581e46b4a8d85a136b854f8ef12dc99e3a6a226d671eb1927666be22d12708642d9a85e1d87d9f94df54a6fd59886b

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 2d022aca784b44527fd009b5b73e1745
SHA1 e8ecca874e553840fcadf73c757ea7d64a4c2752
SHA256 eb173c4c036c210a376d56bd9a7c6864fbb3f3f7d890c837623d8d34f919b5b0
SHA512 31be28cbdd4b3c91513cc9193fd782c6633b9dae0d851aa1179d89e36a65dd93d19669a6d5deea0ade077adc799a957c8ffc5dcba160e50bdc69168c8130de15

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 8fc6b178b246239f6fe9225e66fdecc1
SHA1 6056392642ccca20ae2d42a446083680d76625e8
SHA256 04d8a96258af3409e670dc67b1043dffa702f3517203238530f484f7f83b878a
SHA512 8122f76c6d142d0ec0e332ca921223003ac1d2f19637d1c2291dc4df0b624f3e6b777f7e072f108ea32694421f9de538ceaa11286721ea6a640df28a1b7cbfa4

/storage/emulated/0/systeminformation.android.app/config16-07-2024.log

MD5 2fa8dd5e85f0c682e15a6f8469a5867e
SHA1 cecf2788ec1062b1a8a76d498efe33580185050e
SHA256 becd9269881388e21d2d17060f8daf5a3b1be19f8a279e26ec3c4efb217fa7b9
SHA512 d612507fce10e7c9edb4c23d13ca7490cf2d080879861fec1d0c54319506a8a8753ca59f553796a6b3b8c3ea4e92a1ef04dd934d3b14480dc4341212e1489b6d