Malware Analysis Report

2025-01-23 12:27

Sample ID 241021-wsn22ssdlr
Target CapCut Editor Pro.apk
SHA256 996b8d31c118e8a7fa21a0d75aa46a2c40fdc9153d9387d399c0ad529207a2b3
Tags
spynote banker collection credential_access discovery evasion execution impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

996b8d31c118e8a7fa21a0d75aa46a2c40fdc9153d9387d399c0ad529207a2b3

Threat Level: Known bad

The file CapCut Editor Pro.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access discovery evasion execution impact persistence

Spynote family

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about active data network

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 18:11

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 18:11

Reported

2024-10-21 18:14

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

services.developed.sellers

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

services.developed.sellers

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 extazz24535-22930.portmap.host udp
US 1.1.1.1:53 www.capcut.com udp
DE 193.161.193.99:22930 extazz24535-22930.portmap.host tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.capcut.com udp
GB 184.28.198.195:443 www.capcut.com tcp
US 1.1.1.1:53 lf16-web-buz.capcut.com udp
US 1.1.1.1:53 sf16-muse-va.ibytedtos.com udp
GB 88.221.134.227:443 lf16-web-buz.capcut.com tcp
GB 88.221.134.227:443 lf16-web-buz.capcut.com tcp
GB 88.221.134.195:443 sf16-muse-va.ibytedtos.com tcp
GB 88.221.134.195:443 sf16-muse-va.ibytedtos.com tcp
GB 88.221.134.227:443 lf16-web-buz.capcut.com tcp
GB 88.221.134.195:443 sf16-muse-va.ibytedtos.com tcp
GB 88.221.134.227:443 lf16-web-buz.capcut.com tcp
GB 88.221.134.227:443 lf16-web-buz.capcut.com tcp
US 1.1.1.1:53 bat.bing.com udp
US 150.171.27.10:443 bat.bing.com tcp
US 150.171.27.10:443 bat.bing.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 www.clarity.ms udp
US 1.1.1.1:53 mon-va.capcutapi.com udp
GB 23.59.171.17:443 mon-va.capcutapi.com tcp
US 1.1.1.1:53 sf16-web-buz.capcut.com udp
US 1.1.1.1:53 sf19-web-buz.capcut.com udp
GB 2.18.190.140:443 sf16-web-buz.capcut.com tcp
GB 146.75.74.73:443 sf19-web-buz.capcut.com tcp
GB 2.18.190.140:443 sf16-web-buz.capcut.com tcp
GB 23.59.171.17:443 mon-va.capcutapi.com tcp
US 1.1.1.1:53 mssdk-sg.byteoversea.com udp
GB 184.28.198.219:443 mssdk-sg.byteoversea.com tcp
US 1.1.1.1:53 sf16-website-login.neutral.ttwstatic.com udp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
US 1.1.1.1:53 stun.l.google.com udp
US 1.1.1.1:53 www.clarity.ms udp
US 1.1.1.1:53 mon-va.byteoversea.com udp
US 74.125.250.129:19302 stun.l.google.com udp
GB 71.18.45.193:443 mon-va.byteoversea.com tcp
GB 71.18.45.193:443 mon-va.byteoversea.com tcp
US 13.107.246.65:443 www.clarity.ms tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 1.1.1.1:53 b.clarity.ms udp
US 4.153.129.168:443 b.clarity.ms tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
US 1.1.1.1:53 c.clarity.ms udp
IE 13.74.129.1:443 c.clarity.ms tcp
US 1.1.1.1:53 c.bing.com udp
US 204.79.197.237:443 c.bing.com tcp
US 4.153.129.168:443 b.clarity.ms tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 ded824fc5f11365dcc682909304888e9
SHA1 5891d6465c79e91653531c5893082ce1222ad611
SHA256 e9e4ea3ad363f933d41e540d743e84809cc26adab9c749851b2807b013a79f30
SHA512 d2f1425489b0db905c45f47a2be9375d7941a73bf12698a4c47f544e93921369a47cd28c9f5d7cb608d26bd4f0ca63cb1988a9fd4927e0876d578f6396c1768e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a442592e332b26186c00d87e52d3dda6
SHA1 325a37d09ad64ea69610b6b745e5203a84208961
SHA256 9067346c2bf6c8d48336f646535995abcd1ade3168b6f6dab50b40e75c11c081
SHA512 2ea62fae946ccebb62aae6f7719fd66b6891734375a4f39cfe520b2ae013d79ea9bbf3ea911555a2337a68084e56e349e57310efa5742d932d38123780fd0976

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a4c61b0ee4a996e6d469bfc35a6d9e42
SHA1 cce97f96796759ca0a62aaefd47c49b4fbf425c5
SHA256 56435df185a14b785daff397a06e80d0487f3c62d26e63df23d89abf3b2ad794
SHA512 9cdeed84e99d9ede29d88f2af7f80bf2a77f5d6de08073cd43a58564317f84773fbe8874fa955a902956a43274ce374d6d26f31add64434f95951c3a9b78e1be

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 18:11

Reported

2024-10-21 18:14

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

158s

Command Line

services.developed.sellers

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

services.developed.sellers

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 extazz24535-22930.portmap.host udp
DE 193.161.193.99:22930 extazz24535-22930.portmap.host tcp
US 1.1.1.1:53 www.capcut.com udp
GB 184.28.198.195:443 www.capcut.com tcp
GB 184.28.198.195:443 www.capcut.com tcp
US 1.1.1.1:53 sf16-muse-va.ibytedtos.com udp
US 1.1.1.1:53 lf16-web-buz.capcut.com udp
GB 2.18.190.71:443 sf16-muse-va.ibytedtos.com tcp
GB 2.18.190.142:443 lf16-web-buz.capcut.com tcp
GB 2.18.190.142:443 lf16-web-buz.capcut.com tcp
GB 2.18.190.142:443 lf16-web-buz.capcut.com tcp
US 1.1.1.1:53 bat.bing.com udp
US 150.171.27.10:443 bat.bing.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 1.1.1.1:53 mon-va.capcutapi.com udp
US 1.1.1.1:53 sf16-web-buz.capcut.com udp
US 1.1.1.1:53 sf19-web-buz.capcut.com udp
GB 88.221.134.192:443 sf16-web-buz.capcut.com tcp
GB 88.221.134.192:443 sf16-web-buz.capcut.com tcp
US 1.1.1.1:53 mssdk-sg.byteoversea.com udp
US 1.1.1.1:53 stun.l.google.com udp
GB 184.28.198.219:443 mssdk-sg.byteoversea.com tcp
GB 184.28.198.219:443 mssdk-sg.byteoversea.com tcp
GB 23.59.171.17:443 mon-va.capcutapi.com tcp
GB 146.75.74.73:443 sf19-web-buz.capcut.com tcp
US 1.1.1.1:53 sf16-website-login.neutral.ttwstatic.com udp
GB 23.59.171.17:443 mon-va.capcutapi.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 b.clarity.ms udp
US 4.153.129.168:443 b.clarity.ms tcp
US 1.1.1.1:53 mon-va.byteoversea.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 34.102.172.253:443 mon-va.byteoversea.com tcp
US 34.102.172.253:443 mon-va.byteoversea.com tcp
US 1.1.1.1:53 c.clarity.ms udp
IE 13.74.129.1:443 c.clarity.ms tcp
US 1.1.1.1:53 c.bing.com udp
US 13.107.21.237:443 c.bing.com tcp
US 4.153.129.168:443 b.clarity.ms tcp
GB 216.58.204.66:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 b.clarity.ms udp
US 4.153.129.168:443 b.clarity.ms tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a4c61b0ee4a996e6d469bfc35a6d9e42
SHA1 cce97f96796759ca0a62aaefd47c49b4fbf425c5
SHA256 56435df185a14b785daff397a06e80d0487f3c62d26e63df23d89abf3b2ad794
SHA512 9cdeed84e99d9ede29d88f2af7f80bf2a77f5d6de08073cd43a58564317f84773fbe8874fa955a902956a43274ce374d6d26f31add64434f95951c3a9b78e1be

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 b9b530e2448252311640bbecb69b796a
SHA1 215ede46fb42a68a7ae84c3019acb3019668a46c
SHA256 5a290151305de1ec4f790cd8ada8bd68c076a2c4ed497c40a519509659b65150
SHA512 5834499307946d130887067b2f837ddfef7fdfe3a7e5ed8977eb14c2dc1ab328334da35ed4c978e20b3e6b28ff30dbd12f0430f4b7c831481f339d360c260919

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a442592e332b26186c00d87e52d3dda6
SHA1 325a37d09ad64ea69610b6b745e5203a84208961
SHA256 9067346c2bf6c8d48336f646535995abcd1ade3168b6f6dab50b40e75c11c081
SHA512 2ea62fae946ccebb62aae6f7719fd66b6891734375a4f39cfe520b2ae013d79ea9bbf3ea911555a2337a68084e56e349e57310efa5742d932d38123780fd0976

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 18:11

Reported

2024-10-21 18:14

Platform

android-33-x64-arm64-20240624-en

Max time kernel

149s

Max time network

150s

Command Line

services.developed.sellers

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

services.developed.sellers

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 extazz24535-22930.portmap.host udp
DE 193.161.193.99:22930 extazz24535-22930.portmap.host tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.capcut.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 udp
GB 142.250.187.227:443 udp
US 1.1.1.1:53 www.capcut.com udp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a4c61b0ee4a996e6d469bfc35a6d9e42
SHA1 cce97f96796759ca0a62aaefd47c49b4fbf425c5
SHA256 56435df185a14b785daff397a06e80d0487f3c62d26e63df23d89abf3b2ad794
SHA512 9cdeed84e99d9ede29d88f2af7f80bf2a77f5d6de08073cd43a58564317f84773fbe8874fa955a902956a43274ce374d6d26f31add64434f95951c3a9b78e1be

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 b9b530e2448252311640bbecb69b796a
SHA1 215ede46fb42a68a7ae84c3019acb3019668a46c
SHA256 5a290151305de1ec4f790cd8ada8bd68c076a2c4ed497c40a519509659b65150
SHA512 5834499307946d130887067b2f837ddfef7fdfe3a7e5ed8977eb14c2dc1ab328334da35ed4c978e20b3e6b28ff30dbd12f0430f4b7c831481f339d360c260919

/storage/emulated/0/Config/sys/apps/log/log-2024-10-21.txt

MD5 a442592e332b26186c00d87e52d3dda6
SHA1 325a37d09ad64ea69610b6b745e5203a84208961
SHA256 9067346c2bf6c8d48336f646535995abcd1ade3168b6f6dab50b40e75c11c081
SHA512 2ea62fae946ccebb62aae6f7719fd66b6891734375a4f39cfe520b2ae013d79ea9bbf3ea911555a2337a68084e56e349e57310efa5742d932d38123780fd0976