Malware Analysis Report

2024-10-24 20:58

Sample ID 240807-1gqhysvbkj
Target ready.apk
SHA256 464997c76514be1c491da9fd9999e4da0e7d67e3e744dae020ef8744a6a98271
Tags
collection credential_access discovery evasion persistence impact spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

464997c76514be1c491da9fd9999e4da0e7d67e3e744dae020ef8744a6a98271

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion persistence impact spynote

Spynote family

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:37

Signatures

Spynote family

spynote

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:37

Reported

2024-08-07 21:43

Platform

android-x86-arm-20240624-en

Max time kernel

316s

Max time network

330s

Command Line

com.appser.verapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.99:80 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.34:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.35:443 tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.35:443 tcp
GB 172.217.169.14:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.35:443 tcp
GB 142.250.200.35:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 c08bccb4124a1cd289e7a67082ffb639
SHA1 c8fafeded1677786496114f2e7c0343a23adf8de
SHA256 05494abd0b5bac3a977873d05ca37a96a336453db5044280d20f5cf78669f244
SHA512 ddc7982748abe683d7ad3d9526d962e26fedb5b475aba2709e90d8bf3a2e4d88a77d09934345cd00ffd4c780383d90af12a126771369f4f6f22d4de2781cd317

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 3a71cc46a72de9883a7b8fa8cbe34ca1
SHA1 ef1bbdb281e546b3628a1a845b4941db1ca9e4a3
SHA256 c06d9e99f6ee253432eadfdfac6008e211182c3770fd883fd0ff6e4e08a5e201
SHA512 f65df913a1f4ecb920de54fb6c30ec52368e3b61043f9e37656f364d420f97d3a816ef2b0c6d9e770521e3cf1818cf9c5d689482418278b3c967a4d57c9bdf07

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 19e9022a0237abfcb41de0da45b6cdc8
SHA1 cfcb8500f6e281eb42e54dbf472cc05fefdf55ac
SHA256 6a3ed19be60f504848d404f19e7c3dc35b0e2d623fab204e02d6aa93acc0c4c3
SHA512 bd02400d5f3f91054f1bf60ccc35457d6f3d83fccae18b3fbbe22b81c5fa86e430d2886685a6a7777c5714d25b16499be31ce86097e64d3b878c04d89dd2aec6

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 5aa83f2038ff2c209e30c933b9e418d5
SHA1 cacfe99f0b60816d455ecfb2dd89687617fee9f0
SHA256 518358f5dc7ed9465a3eb42c250c6eb776cece12e4cffca279171ceca9e69968
SHA512 a7bfb5ef95a86c547c7cea87e563b36e568a8ccf3f9b72dc5ca3ee021a43e0a480bdc9f20b36d44bf91ce6a26ae4a1be67f6238c59f07b77a6f0d9000bd94f9d

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:37

Reported

2024-08-07 21:43

Platform

android-x64-20240624-en

Max time kernel

302s

Max time network

311s

Command Line

com.appser.verapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.169.74:443 tcp
GB 142.250.178.3:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 c9f5a46edc612d91584dd6740045e349
SHA1 dc38008eb20bd058e295a8da99684f0678b6c82c
SHA256 848f27e572de855f0a7db7f5947b3faacf5cb9b4749421a05ab1b5a143f35f7a
SHA512 893ae0832923534969e73b82a3ac747d95d85c8e0501dc5c9c646eae892ff26e68a59aed588ef1aa17329ee456f4188b5d20ca967833d4a46f22b74402f4d713

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 c08bccb4124a1cd289e7a67082ffb639
SHA1 c8fafeded1677786496114f2e7c0343a23adf8de
SHA256 05494abd0b5bac3a977873d05ca37a96a336453db5044280d20f5cf78669f244
SHA512 ddc7982748abe683d7ad3d9526d962e26fedb5b475aba2709e90d8bf3a2e4d88a77d09934345cd00ffd4c780383d90af12a126771369f4f6f22d4de2781cd317

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 a18b62006e1b019beac143f6f420ded7
SHA1 cfb0cce0682eaa507e5085356fec570ec614c98d
SHA256 255d22364c7467f1dacc13f7b37d4bc528f1ea811b17ff08ef884a4d2ddefdc4
SHA512 2c7a4f531829878e346cc0e6981b5a5d0892197fd264767517d2169100d1dad2aca4bdd0dd21537de3dd672fcd8b2b8fcd22007826401b1f8a4720fd36b92541

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 ca637df9c30b6340cfc2af75e10c4087
SHA1 24ba8810903725e5486e4fa3b3039295fe999995
SHA256 f5345c751feae5f9fb889b017827d876a8130248f22d394ab4950ae949abf26f
SHA512 81372f0ef0138f2dba75e06d38e9f7e6f073101a01838fbb7ee72abdd0b0c2e6d2166af1e8d21c642064d54c24a49430304e02ea6158681fa30c03493defae1d

/storage/emulated/0/Config/sys/apps/log/log-MjAyNC0wOC0wNw== .txt

MD5 206b0652c3fbc176ec8ad02b96d7512b
SHA1 b955e72e0c18936f75324d5b6d98fd042207fe04
SHA256 6218fdcde2f9e7a0bfbcfadfc2be5bafdd05d38590a155b5a61374394b0af82b
SHA512 4b018e26a4e93cf4b20eb3e8d36d63341f3732a165592e98e63dd5ab897a5258a7b84b437d12b0bd5ca15c83e3961bbbfe8c418668ab9ea1561df9fe4a93e6e6

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-07 21:37

Reported

2024-08-07 21:43

Platform

android-x64-arm64-20240624-en

Max time kernel

303s

Max time network

320s

Command Line

com.appser.verapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.187.227:443 tcp

Files

N/A