Malware Analysis Report

2024-10-16 05:16

Sample ID 240722-sa2zeathkp
Target ready.apk
SHA256 3424dc83a016ea7ba8ffbc923f13ffd1ebd51164a0234a55ce73aaf82a494477
Tags
spynote collection credential_access evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3424dc83a016ea7ba8ffbc923f13ffd1ebd51164a0234a55ce73aaf82a494477

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access evasion persistence

Spynote family

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 14:56

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 14:56

Reported

2024-07-22 14:57

Platform

android-33-x64-arm64-20240624-en

Max time kernel

42s

Max time network

59s

Command Line

evident.attending.spoke

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

evident.attending.spoke

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
RO 188.212.101.133:8000 tcp
US 1.1.1.1:53 133.101.212.188.in-addr.arpa udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 s1-133.gazduirejocuri.ro udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.187.227:443 tcp
US 162.159.61.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.187.227:443 udp
GB 142.250.187.228:443 udp
GB 142.250.178.4:443 udp
GB 142.250.178.4:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-07-22.txt

MD5 a9148d406d2aa27774f728eac988cdd3
SHA1 68c1e93debcda4b97e06720a3b93a434e0f0c4e5
SHA256 bd8740f21d0f44f343afebfd133a234fa5210d5f4f79f2d826980a4a1bf07a38
SHA512 f6f089bbf90a16061e1af9dc677451ce729fcc908218f60977862beb3f370ff69948eace2a4c995a0d65a96efc5263da307d77f514ec3a16f02133d7d9cc2215

/storage/emulated/0/Config/sys/apps/log/log-2024-07-22.txt

MD5 0a7da9fcef3403006b99f3d2594eb87d
SHA1 79650b591371a4ed2d9f8921269e4f348ef3d458
SHA256 2e7c750b58e9095dbc1cac4b47472e29ffed57d9c13d845f56bebcb05198ea11
SHA512 2c68a150c7e25ec875f5b3921f93637475aa10858eb03c5206a62883694217d93e124f8aebcd5a29d1820ff86c8b86c2311ec45ec1903a73b15cc48a534f875c