Malware Analysis Report

2025-01-23 12:30

Sample ID 241022-ra7n8aycnh
Target ready.apk
SHA256 62b002528c334cec9d29d6126ef1b935d10f3b1796cb6380254045189553185d
Tags
spynote collection credential_access discovery evasion execution impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62b002528c334cec9d29d6126ef1b935d10f3b1796cb6380254045189553185d

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access discovery evasion execution impact persistence

Spynote family

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 14:00

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 14:00

Reported

2024-10-22 14:06

Platform

android-33-x64-arm64-20240624-en

Max time kernel

299s

Max time network

297s

Command Line

vessel.wax.phrases

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

vessel.wax.phrases

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 kasatonicsyntax.ddns.net udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 m.youtube.com udp
GB 142.250.187.238:443 m.youtube.com tcp
GB 142.250.187.238:443 m.youtube.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
BE 142.251.173.84:443 accounts.google.com udp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 142.250.180.10:443 content-autofill.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 gstatic.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 jnn-pa.googleapis.com udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
GB 142.250.179.234:443 jnn-pa.googleapis.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.180.14:443 play.google.com tcp
GB 142.250.180.14:443 play.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.180.14:443 play.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.179.227:443 tcp
US 172.64.41.3:443 udp
GB 142.250.179.227:443 udp
GB 142.250.200.36:443 udp
GB 142.250.180.14:443 play.google.com udp
US 1.1.1.1:53 m.youtube.com udp
GB 142.250.180.14:443 m.youtube.com udp
GB 142.250.180.14:443 m.youtube.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
US 1.1.1.1:53 lh5.googleusercontent.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 newsstand.googleusercontent.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.1:443 newsstand.googleusercontent.com tcp
GB 142.250.178.1:443 newsstand.googleusercontent.com udp
GB 172.217.16.238:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 social-magazines-prod.storage.googleapis.com udp
GB 216.58.204.91:443 social-magazines-prod.storage.googleapis.com tcp
GB 216.58.204.91:443 social-magazines-prod.storage.googleapis.com tcp
GB 172.217.16.238:443 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 142.250.187.225:443 lh3.googleusercontent.com udp
GB 142.250.180.2:443 tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.180.2:443 tcp
GB 142.250.180.2:443 tcp
US 216.239.32.36:443 tcp
GB 216.58.213.6:443 tcp
GB 172.217.16.226:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-22.txt

MD5 da25c7bff55a2936a9cb811d9fe27d93
SHA1 87711aa4a1ee842a6d0cf50a254c742e853b48a5
SHA256 49ecccba597e47651a3dc051292ed5b1c89a9c36a0e85bff287c2127b3330be5
SHA512 51d114639fee48a61618964fb064562b7cf3b1dc29accce57ab1e99f9fb6593c4727671ee4a23caba7f157adf294ef5734ec6f910f596f35b4c2ed7231f76c6c

/storage/emulated/0/Config/sys/apps/log/log-2024-10-22.txt

MD5 40fcf48a4ecdb632240619eb756772ce
SHA1 83706b0dcc3ff8032962dcd0d73a36ba65dd6f30
SHA256 d153cc76e9f7a12c26dbe0d197285a77fc8efeed1b1f3d35c25ba386711b5c80
SHA512 4757ed0904a24ed77c8c2dca9be96f084cebc54a93c43eb0eb27545aba7e58916abb0b639254d90ebffea1e760b85d0a0fe53ada28194734748116475dd9829b