Malware Analysis Report

2024-10-24 20:59

Sample ID 240806-tfwv1sxcja
Target standoffcheat.apk
SHA256 795c8acc11607d4d0fd05b2dc92eba06553c810997d3682427e17fe006043260
Tags
spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795c8acc11607d4d0fd05b2dc92eba06553c810997d3682427e17fe006043260

Threat Level: Known bad

The file standoffcheat.apk was found to be: Known bad.

Malicious Activity Summary

spynote

Spynote family

Spynote payload

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:00

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:00

Reported

2024-08-06 16:02

Platform

android-33-x64-arm64-20240624-en

Max time kernel

63s

Max time network

70s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.169.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.3:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.228:443 udp
GB 216.58.204.67:443 tcp

Files

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 59d252a28ac012f30c0432a6cff4baf7
SHA1 e8cb8947c0aefaf0be65d503531854dbba977216
SHA256 68b1cfe09bbefa0697d717483a40e7a22dd484cd72e3570ddcd9cca812bdb8c5
SHA512 9f52ef7c1cb3b20034be4088904bab20e7cdd429332865929415383d76fd8719952f1ac642e337c6e110985173b2f3aaba89267ab4734e49580bbf694213b895

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 6dc9eb0dc590d7cc662992e90eed01c2
SHA1 6eb701769b02d56934bd81269a8e82163ee362f9
SHA256 eb65780d5039f175f580ca6cecda164809e189251ea9279c8082297e5648f41b
SHA512 c3168417af7ee4707f0320ca2036ea46fa71a5a7338326334efb8503158cd76f9399f530d17c969dda4ddeaa9edf68dba9507ba4065c51c666fa22deca0cf0cb

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 99b12f8862db4828b283bdb178c7c48a
SHA1 ebbba26bcc9096ebbc263784a27c1150981a369a
SHA256 5ffe9ae1c4a7c75fafec3ca48f20eff84c6b62fcb355465ce725cdb1793c10a5
SHA512 4f2f4941c1c92132b642e20eb860a9237f1b16619f9ef7204a15218aeeb127af575bb41045a5caef472b6369c594066f402c3c677fba84e6cb67daa6b7907f0e