Malware Analysis Report

2025-01-23 12:22

Sample ID 241014-ywfk7atfmd
Target c78901020e5cc35239904fba638594319d601a521cb3861959650becd27b587b
SHA256 c78901020e5cc35239904fba638594319d601a521cb3861959650becd27b587b
Tags
spynote collection credential_access discovery evasion execution persistence stealth trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c78901020e5cc35239904fba638594319d601a521cb3861959650becd27b587b

Threat Level: Known bad

The file c78901020e5cc35239904fba638594319d601a521cb3861959650becd27b587b was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access discovery evasion execution persistence stealth trojan impact

Spynote family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 20:07

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 20:07

Reported

2024-10-14 20:10

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

app.everspy.ru

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

app.everspy.ru

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 a1bb837a0a7716c00797da6af87029b1
SHA1 aa3f7f5ae26e15fa1bff0fab2d9987c97dfbb90b
SHA256 ee9d48e4aa1efb84fbedf68d1fc61782bb3a93c5da15dc197a492f150b4feeec
SHA512 443955e3a57e98eaa6cd51f134352f37de8e8b79151816abacdc7a789a7ad92f4234e3766440a9ab4ed4a65bbe314f2f2338d93c17a7181f26d73ad2e302b911

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 36bee55fcd5bf21398e15c4dfab101b8
SHA1 194fa0b9c8c7de572952fdd6ee12d0db84072d67
SHA256 2b90fa71d86ece3d1e473e3a6029360bf8fa191d2d34cd7152e8dec14c46f93c
SHA512 cb3ea4d1c7af6bbc5b18ff5dcf183abd9c2a15265a9dd9a9784cac8917f871603374dac261815f35166a420afffc2b1da853bf761e51b928a0f973d0f439a0c2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 44abbff4966121dce248678525d33bea
SHA1 bc3259c60f8bdad0e950f4f960cd895a1c007769
SHA256 42cfbc29439b1ba6ce656d375cf28baf58dfe183bc7395970971ac9de3504faa
SHA512 300b446925a137c5c5501df53fa6d0550481bc6da8bbe0b2449d3caca0e37032b918e7ae87a45f717d0dbecfe65239f492b89fc2e77b49c6beb0ce3dd545c5b2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 468df386e7b8bf29a67c7aac2dfe262f
SHA1 110f169a4aaa3f73f9ab0587d97e08a02491e6ea
SHA256 41439596d6655d12ca739a86a7ecc430c3a638daf13f521bf32f3b4037cb1fc1
SHA512 e7a9c1083e9cafe10e563b0fe175bba5159ea0bd507e93b498787c298caec69057437281aae0d56ec435b6ab62c7e4bdb8e1d43d6e57569d0dffafadf9bf0c57

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 20:07

Reported

2024-10-14 20:10

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

app.everspy.ru

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

app.everspy.ru

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 a1bb837a0a7716c00797da6af87029b1
SHA1 aa3f7f5ae26e15fa1bff0fab2d9987c97dfbb90b
SHA256 ee9d48e4aa1efb84fbedf68d1fc61782bb3a93c5da15dc197a492f150b4feeec
SHA512 443955e3a57e98eaa6cd51f134352f37de8e8b79151816abacdc7a789a7ad92f4234e3766440a9ab4ed4a65bbe314f2f2338d93c17a7181f26d73ad2e302b911

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 36bee55fcd5bf21398e15c4dfab101b8
SHA1 194fa0b9c8c7de572952fdd6ee12d0db84072d67
SHA256 2b90fa71d86ece3d1e473e3a6029360bf8fa191d2d34cd7152e8dec14c46f93c
SHA512 cb3ea4d1c7af6bbc5b18ff5dcf183abd9c2a15265a9dd9a9784cac8917f871603374dac261815f35166a420afffc2b1da853bf761e51b928a0f973d0f439a0c2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 4d04c6fb171d6a43c27cc3dca809f079
SHA1 bcff408e87266d4f7431c082102becfd28bb678d
SHA256 72adb8501aeff878aea10c9e4c2e1f3db8f8fa6b51934841969e961e6c8ed41b
SHA512 15f8fdd1f686f5a4b60637faa5103cffde223f7a3f2cf666e5992084418844a093fb5145ae5b6c93e995d106817a981299dd9f8cb0d41387ed032230c4569dc5

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 d7b164e569793914db278779b63563ee
SHA1 13bbb04b49ff78838b4db19ecb5591c7d2c8f8e7
SHA256 1349249a80af05bf6db5d2c5f7300cf541fadafbdee2ec0e88c8cb95991db9f1
SHA512 8950f0920ee5ff3ca86c879d167949f831102a27f7d8ba5bcd15d5a85bcde7be29ac6881d74313f95ce2ea22bac05dc899597854439923053fe2f9daa7279dbb

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-14 20:07

Reported

2024-10-14 20:10

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

app.everspy.ru

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

app.everspy.ru

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 3sent.duckdns.org udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp
US 1.1.1.1:53 3sent.duckdns.org udp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 c93c5f7a849ac5dd9d99a7dd77fcbbaf
SHA1 2b8b0fd7d84143e80a979b9b476986d3cf6a1e1b
SHA256 dc892a6df66d12e2c278ea6e8584b0a8b2f155c6402481efe6332d9fe42513a6
SHA512 08359d3325a88a5bb8c5ed49a6653805d6b170247a90b9bac68d05f5623af75e6702140528830143850aea164ac87d24b435467d94f2cee61572d7d60e4c3bf8

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 a1bb837a0a7716c00797da6af87029b1
SHA1 aa3f7f5ae26e15fa1bff0fab2d9987c97dfbb90b
SHA256 ee9d48e4aa1efb84fbedf68d1fc61782bb3a93c5da15dc197a492f150b4feeec
SHA512 443955e3a57e98eaa6cd51f134352f37de8e8b79151816abacdc7a789a7ad92f4234e3766440a9ab4ed4a65bbe314f2f2338d93c17a7181f26d73ad2e302b911

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 36bee55fcd5bf21398e15c4dfab101b8
SHA1 194fa0b9c8c7de572952fdd6ee12d0db84072d67
SHA256 2b90fa71d86ece3d1e473e3a6029360bf8fa191d2d34cd7152e8dec14c46f93c
SHA512 cb3ea4d1c7af6bbc5b18ff5dcf183abd9c2a15265a9dd9a9784cac8917f871603374dac261815f35166a420afffc2b1da853bf761e51b928a0f973d0f439a0c2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 4d04c6fb171d6a43c27cc3dca809f079
SHA1 bcff408e87266d4f7431c082102becfd28bb678d
SHA256 72adb8501aeff878aea10c9e4c2e1f3db8f8fa6b51934841969e961e6c8ed41b
SHA512 15f8fdd1f686f5a4b60637faa5103cffde223f7a3f2cf666e5992084418844a093fb5145ae5b6c93e995d106817a981299dd9f8cb0d41387ed032230c4569dc5

/storage/emulated/0/Config/sys/apps/log/log-2024-10-14.txt

MD5 d7b164e569793914db278779b63563ee
SHA1 13bbb04b49ff78838b4db19ecb5591c7d2c8f8e7
SHA256 1349249a80af05bf6db5d2c5f7300cf541fadafbdee2ec0e88c8cb95991db9f1
SHA512 8950f0920ee5ff3ca86c879d167949f831102a27f7d8ba5bcd15d5a85bcde7be29ac6881d74313f95ce2ea22bac05dc899597854439923053fe2f9daa7279dbb