Malware Analysis Report

2025-01-23 12:23

Sample ID 241023-skmx8sydnm
Target ready.apk
SHA256 4b01ec065b4cd922e567193200bbaf1f22cf55a29a9d770e645a01e266e1b04f
Tags
collection credential_access evasion execution impact persistence stealth trojan spynote discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b01ec065b4cd922e567193200bbaf1f22cf55a29a9d770e645a01e266e1b04f

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

collection credential_access evasion execution impact persistence stealth trojan spynote discovery

Spynote family

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 15:11

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-23 15:11

Reported

2024-10-23 15:13

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

151s

Command Line

com.appser.verapp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
N/A 192.168.1.2:7771 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
N/A 192.168.1.2:7771 tcp
N/A 192.168.1.2:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 93d2a55e9c6a0ed25363fc8eebc40315
SHA1 e47f31bda12dcef3bf0444549d80ba7180c7ebd5
SHA256 30224a8f26b629c98030e5f6596c058d973e1ff7209d53f62628ef69b864971e
SHA512 2b14439eca960a78f466ddcbadbd54d41d029c034076b5767d88d009b6d1eb004436c7e18e84aa4c7afde2124c86e2a9596e6b12214a6151a63101ea96dfdcda

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 b526759c1c5f32d1e480f73d98684568
SHA1 205b4553d10be5cabdfca65e5461d427b656546d
SHA256 891362c5fb40d06ac17d0df709f7ddd1984669e7a4a0528b5ad2fdab483a30d4
SHA512 63187d02028571c51ade3468a429a987b5d3d5b811b4b5a8bc82a82af8fa8160eadc973398cf4a5e27dec925e288f8528a4e795119a49b532cd60f265b777c07

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 55126f07bbd59853268feff1ca6c6463
SHA1 06b854eb3aef35df9712b5bac0c0d1a576b42c71
SHA256 0919a5c670966b1972ce0c519cdce446f8b6772ab0305d418764d0fd38fcb3fd
SHA512 75fc4c3704460f9f1d76f067348fb36e2a0574008977ec8adf8960f6ff12a2e4b44d1f36ced4191beda3900133d5c96bb8bf7bb2bb7c3df859b3a6b307292e62

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 15:11

Reported

2024-10-23 15:13

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

148s

Command Line

com.appser.verapp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
N/A 192.168.1.2:7771 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
N/A 192.168.1.2:7771 tcp
N/A 192.168.1.2:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 55126f07bbd59853268feff1ca6c6463
SHA1 06b854eb3aef35df9712b5bac0c0d1a576b42c71
SHA256 0919a5c670966b1972ce0c519cdce446f8b6772ab0305d418764d0fd38fcb3fd
SHA512 75fc4c3704460f9f1d76f067348fb36e2a0574008977ec8adf8960f6ff12a2e4b44d1f36ced4191beda3900133d5c96bb8bf7bb2bb7c3df859b3a6b307292e62

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 7e028d2168485ca549bbd24bbe6705e8
SHA1 84b0802edb73259a0c4053c9f66a07761b249d4e
SHA256 1da985e6d432eaf9134c1a4fd4b00ef928cb8ac0bed3865d7751f6fab8175d0d
SHA512 bb48f9989464f4afc4a6b72e54a5871c7d8a4b3fb1e5c38321794507cdb095c23f9a12d5b37827d84c96e568c7f67667b7b76b5947757acf9dfd9c36e350bc91

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 d2b49bb9a8a1e20f18508e760b47811d
SHA1 e7c6a4de64f8a00ddc43c52edcb3a7d1bd5fe802
SHA256 5105c68bc744dce2b52b19d8b7ef6b9798d5dc786a2c65750b8eabcf0d508e49
SHA512 dd6cbce6e9dc9848c72181afbb7d0a6135c47bb1f1c4217cd29ec4603048622b2e30fb171a0be8ce09ae31db61503b5695abd6e5a1eaca34e4d0ae8a528996c2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 15:11

Reported

2024-10-23 15:13

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.appser.verapp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appser.verapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
N/A 192.168.1.2:7771 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
N/A 192.168.1.2:7771 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
N/A 192.168.1.2:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 93d2a55e9c6a0ed25363fc8eebc40315
SHA1 e47f31bda12dcef3bf0444549d80ba7180c7ebd5
SHA256 30224a8f26b629c98030e5f6596c058d973e1ff7209d53f62628ef69b864971e
SHA512 2b14439eca960a78f466ddcbadbd54d41d029c034076b5767d88d009b6d1eb004436c7e18e84aa4c7afde2124c86e2a9596e6b12214a6151a63101ea96dfdcda

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 b526759c1c5f32d1e480f73d98684568
SHA1 205b4553d10be5cabdfca65e5461d427b656546d
SHA256 891362c5fb40d06ac17d0df709f7ddd1984669e7a4a0528b5ad2fdab483a30d4
SHA512 63187d02028571c51ade3468a429a987b5d3d5b811b4b5a8bc82a82af8fa8160eadc973398cf4a5e27dec925e288f8528a4e795119a49b532cd60f265b777c07

/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

MD5 55126f07bbd59853268feff1ca6c6463
SHA1 06b854eb3aef35df9712b5bac0c0d1a576b42c71
SHA256 0919a5c670966b1972ce0c519cdce446f8b6772ab0305d418764d0fd38fcb3fd
SHA512 75fc4c3704460f9f1d76f067348fb36e2a0574008977ec8adf8960f6ff12a2e4b44d1f36ced4191beda3900133d5c96bb8bf7bb2bb7c3df859b3a6b307292e62