Malware Analysis Report

2025-01-23 12:22

Sample ID 241012-2eav6aygql
Target client.apk
SHA256 95ebcb66cb42efb7dea173eefefcd17a7bf9dce0d5a34f87769476f288aa3c8c
Tags
spynote banker discovery evasion impact persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95ebcb66cb42efb7dea173eefefcd17a7bf9dce0d5a34f87769476f288aa3c8c

Threat Level: Known bad

The file client.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker discovery evasion impact persistence privilege_escalation

Spynote family

Spynote payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 22:29

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 22:29

Reported

2024-10-12 22:34

Platform

android-33-x64-arm64-20240624-en

Max time kernel

283s

Max time network

291s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.201.100:443 udp
GB 142.250.187.194:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.200.38:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.46:443 tcp
US 216.239.34.36:443 tcp
GB 172.217.16.225:443 tcp
GB 142.250.179.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 142.250.187.227:443 tcp

Files

/storage/emulated/0/systeminformation.android.app/config12-10-2024.log

MD5 e490c72bfeeec484786f1045e679326a
SHA1 05a735f70cb370be2650dbfbe02fd563c1f266af
SHA256 e8a1142fbf4791184ba0e68551a266e2e3a8c49787114fd686beb09b465706ff
SHA512 b224208c5b59f858eb54b0de21a88d3a69d80dce4af756971405382465954fbf66d288fff6f37e581b34c4d85b257f16c0a5e153ab724014d489731521953a84

/storage/emulated/0/systeminformation.android.app/config12-10-2024.log

MD5 4ae909950c2b5b20a38750f5dc4e419c
SHA1 7dd158da1f5cd2ece4f0d38d4d5d3d824957ef47
SHA256 01bbe8d8c00b0327ec4c7a903b36f7155ff22e464601649b575c85b78eb74e7c
SHA512 8ae99b36b72245c922efff1be0815e8697c4ac48d9596582559f9b7f93b2a05296d1200307b97c986c725289f738cdab985b3ce7b99d1658d5750f9f6168214a

/storage/emulated/0/systeminformation.android.app/config12-10-2024.log

MD5 1318beb380177fc2286f3b41df384768
SHA1 442b7525d4106ab58e443c4a16bc61be2a1427fb
SHA256 04a934c425de6c25b5c630f62110686083f8d5e5dd418f5cddc981a4a71ad480
SHA512 274c0195e881b8a96d4923ffdf71c607750f9c38aeae72a034e6f9aee9a466d908628c9ae4e5d73f381120d46bccf14734daa8559ec632054e4ff91db970294b

/storage/emulated/0/systeminformation.android.app/config12-10-2024.log

MD5 d5cea8a7b679918836e84b931cc27e2b
SHA1 a2fe622a5d262415314f1e55e36ffb75f7b02221
SHA256 56fd7af2b59cef950303dc1e0b88b8af57d17328b0f153c1a09b8beeb98456d8
SHA512 e1afe6cac7fdac616c28dec1d20df9c6bee01a79a5c468677f3786460974fe637f92d0d8317c4965ec9d9f62be3672837cda9b2ab36ed39b95f436d76a34dc44

/storage/emulated/0/systeminformation.android.app/config12-10-2024.log

MD5 03e871b90c7dd5e3c488baa1bb939e93
SHA1 d441ad04e31462f067f12c916c98cdf599af5222
SHA256 1ff00ea83248412e4675f3993104450613fba57985611c2eea18a971bd5ed929
SHA512 082d3f26dd0e508d7b54707dfb0b8b76940b6cf2800c2da41436a750364c2b7024d9340f1db256f26652e363ecc3a3a4184591567ef5605db32be6096cad73df