Malware Analysis Report

2024-10-24 20:58

Sample ID 240806-tk3jcsxdma
Target standoffcheat.apk
SHA256 795c8acc11607d4d0fd05b2dc92eba06553c810997d3682427e17fe006043260
Tags
spynote banker discovery evasion persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795c8acc11607d4d0fd05b2dc92eba06553c810997d3682427e17fe006043260

Threat Level: Known bad

The file standoffcheat.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion persistence stealth trojan

Spynote family

Spynote payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:07

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:07

Reported

2024-08-06 16:11

Platform

android-x86-arm-20240624-en

Max time kernel

177s

Max time network

138s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:07

Reported

2024-08-06 16:11

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

182s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.16.227:443 tcp
GB 142.250.200.46:443 tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.187.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.180.10:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 means-fee.gl.at.ply.gg udp
US 147.185.221.21:55440 means-fee.gl.at.ply.gg tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 142.250.200.1:443 lh3-dz.googleusercontent.com tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.187.214:443 i.ytimg.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 means-fee.gl.at.ply.gg udp
US 147.185.221.21:55440 means-fee.gl.at.ply.gg tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 147.185.221.21:55440 means-fee.gl.at.ply.gg tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 147.185.221.21:55440 means-fee.gl.at.ply.gg tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-06 16:07

Reported

2024-08-06 16:11

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

133s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 0945c02f2b1f4bd2bfd0994cde10d901
SHA1 cff24cfd4db66a0e2ac0ea92314f2b5fa287ae0d
SHA256 62d79759c09f305055e9729a30149845e5f18e8c28bda945b97186365c8cbbef
SHA512 f8a8325cb5d12f8b9c5f3992e1945a2db967a0f3cedf461f6beb15fbc3a3b4807568c2301d821fe63342b4a9b01a7ac99d8ce70b2a8197721163962ee229e027

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 883020d2a1bfd130378a33678994b048
SHA1 f2cd2294b4740c70e4fa2ef73b8f9570a36e0169
SHA256 c3d0206c7c8314ba15cf8470091b5b97582b10bd690318b8bf9c817098bdab65
SHA512 422b438bffb92c913e9d1c292b9bedcc097a830e4ae024f07c3dd2def023d091af0293b4c0b5c40aa91a7c631aedc466de90d3537504d84634c0ac18138e031a

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 ef2b800cef27670b4328d5fbcc1df815
SHA1 3404f36e0ea24fd4f0398307549226cad488d2c1
SHA256 1ea30a9e7069855d3b68735d4369709a60db64cb255d202c6869582e72db470c
SHA512 d57192185aaff108a0030144ed20ab9ce99020681e26ac26c37c20cf46e0b2b5854a7871ad7e6806e88c9a1a56a8ba9ed6e05846457b3084772a1d58bb43091d

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 1f154803e5d4b04d645fa779f2417195
SHA1 8264642c39be261d0534ede0c584600da4f2ec09
SHA256 3275d040b29e2cfd9e2c766338b67fd624f6ef8be513cd0f1c6c81e3f0ac1aad
SHA512 85693395228d48143b1a1424e33f74b1788cdc0617412c091747e38c12308951ab7524ffe066a40e397e981bd221207066025557c68a24bb77376c0c733ba452

/storage/emulated/0/com.standoff.tronix/config06-08-2024.log

MD5 e7b5d4024a5b8644d535a91f50ee7f42
SHA1 899da8353acef4d43c3393d3a81ce9e47b6d9ada
SHA256 e1660f5d68efa77f2d0c6d1498c30e88f6a517182ba5594420fe5f371266475f
SHA512 5359abfb23485783ca54dbb0175c1be6aa8c670c433c1085c3c581ab6d6e1989e77e6c384bfa1296061ce7265eede7c298ef2949b98966dfe8a84652abcaf948