Malware Analysis Report

2025-01-23 12:23

Sample ID 241029-21scbszqes
Target Predator (2).apk
SHA256 d2c2b10763c87c50ef37c323707edab8f9574df4ff5428db22e04dc161d1a175
Tags
spynote banker collection credential_access discovery evasion execution impact persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2c2b10763c87c50ef37c323707edab8f9574df4ff5428db22e04dc161d1a175

Threat Level: Known bad

The file Predator (2).apk was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access discovery evasion execution impact persistence stealth trojan

Spynote family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Requests enabling of the accessibility settings.

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 23:03

Signatures

Spynote family

spynote

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 23:03

Reported

2024-10-29 23:06

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

yale.functional.possible

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yale.functional.possible

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 89.238.177.28:7744 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 www.google.ru udp
GB 172.217.16.227:80 www.google.ru tcp
GB 172.217.16.227:443 www.google.ru tcp
US 1.1.1.1:53 apis.google.com udp
GB 142.250.178.14:443 apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 1.1.1.1:53 ogads-pa.googleapis.com udp
GB 216.58.213.10:443 ogads-pa.googleapis.com tcp
NL 89.238.177.28:7744 tcp
NL 89.238.177.28:7744 tcp
NL 89.238.177.28:7744 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 749af3b8d53606c7777359dff271710a
SHA1 38c222bd446af5f06b689e6d1edb6be053dc1918
SHA256 507d4a875476633d215eb27e67af2b56c3b12b3403328781850508da7c17a5af
SHA512 1bf956585a5d3c2b246e2f4b05292d28776172257599d71f246404b8124450be8a110b37111f929d1717c8bcb414c99ccb490d98f192b7e6e31dfde7c2bacccc

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 4ef6d78c9fc241e99dd600e4fa6ebd95
SHA1 15dcb9d30695ce0b3e49a13cfa809721c8d65975
SHA256 ae77c9153566fa4b672678c7a9ce704dc504f0f8374c94d59ddb7c37d3c2fd14
SHA512 9003647344a0cd86cb6724b907f287cb28e03bc308afe0ec3ae23b14358e1a73900f54612231b58587395262481e13f58296c25a6dfa303edbfbf95878be3e33

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 59f10ca438be3e3e42ff9028c18a34c9
SHA1 9ac590b3b03410ebc3cca34e526553d6c4397cf2
SHA256 52c45c7e26b1229e4f93abf945ac770602ae340e1dcb6e43eaded15b18aa0db4
SHA512 e44c0684844a3b415924142b08b5b69a0f8e13e44c3297ad61450f0d9c64ef299a4aebaa6fcd007001ff195f17f1e0d9f96e451b33b71c5d6f8bb74a70353c7f

/storage/emulated/0/Config/sys/apps/AR/Chrome/info.json

MD5 55fb7df4a7c924b98d708ccc6c2c1e73
SHA1 4701a9967c19990d7f6be9c78de4b4a751ed686d
SHA256 9b349925de6eac7bd227b612533fadee959d4a05f618acb69565e9916bd371e8
SHA512 4f7a13f14192225c72a9ec8bde546e17b20521b920ed90c50e0ebe35c78a3c48f15626f8055ae970b8cca013a46e95c4111e4325b4c5f1c414590ec7f34cee10

/storage/emulated/0/Config/sys/apps/AR/Chrome/info.json

MD5 cf5b2aa23c0fbbecd64f162e49a90d48
SHA1 02dd698d3a262aa8d4b43e6bd06ba056fff6b71a
SHA256 941c557b37f945bd14e3844844538043e2fe8c473e6756c6dd8ccb00d2fdfcc5
SHA512 4bafe817aa37dc7760c1a9c587168c962e18343563c7e2daf8930caac8845df887d4b142e7f83103edef62d6bdef6cbb59c19ad9b44d4cd2f114864bce5bb822

/storage/emulated/0/Config/sys/apps/AR/Chrome/info.json

MD5 1bd5b700c01cbd5054fd528aad057907
SHA1 acac5ba8d39a189a03330c60731401cf8b303607
SHA256 bac90416d5c3ea41c1d2bcd27b2aefc085630c1b0cdd52346f785641e8744028
SHA512 6b15f8b39e595344fa993bde9459a23a131ba1a503347d20006dcc052e532de59979f878d7084744a634593bc3126cdeefc2b06a0fbc4afe47908fb8564b767d

/storage/emulated/0/Config/sys/apps/AR/Chrome/info.json

MD5 2c4c6ef5298c234c7a4f4209cdfdbce7
SHA1 886745650b08bd0eb88b8265657d90288493a394
SHA256 731db9fa1212c62e1206e29c0536b7340507b1cedc89eb559e91779c5794e9a7
SHA512 762e2ca697af4203bfcad3f00c06b7ad9d88ee074294f197f45a53db867037be262cb0f9f4ce88902bff6b4a42710fdd06c7b3d8b9f4ae5a43d4390753e827d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 23:03

Reported

2024-10-29 23:06

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

148s

Command Line

yale.functional.possible

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

yale.functional.possible

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 89.238.177.28:7744 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
NL 89.238.177.28:7744 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
NL 89.238.177.28:7744 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 03adce49cb7546004e5761dd89915575
SHA1 2cc7f4c57f252ab791246854c758f5e165138752
SHA256 1f0f62e5bfefe0c6eda59dd97f31c01bd5ec83af54c63e744cfc17b42f837c88
SHA512 3f7601ba6f4224c0b9f9277b35d26d2cfff83f2bbc8bf567c94d168cc0a5442b80669572c41c182397b2722e825da89a76f501f8b7a8d9b577a9376ba2660c4d

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 749af3b8d53606c7777359dff271710a
SHA1 38c222bd446af5f06b689e6d1edb6be053dc1918
SHA256 507d4a875476633d215eb27e67af2b56c3b12b3403328781850508da7c17a5af
SHA512 1bf956585a5d3c2b246e2f4b05292d28776172257599d71f246404b8124450be8a110b37111f929d1717c8bcb414c99ccb490d98f192b7e6e31dfde7c2bacccc

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 18a8d61a22cb921aa41444e4515d131f
SHA1 ea10a6933b72d3ac197da35297922bf727a374ad
SHA256 ff24f002fdf47a00e694d915ab4ea2150c2113a06f61400267d6051a8877cdd9
SHA512 4f5b3be6b1e18a1ae68e9db5ed21244572216b506dc9b3b8e5936daa4418e7db11de67237e0bc349010f9e1316421ef3fd837dda91f282488ecdb53dc7355049

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-29 23:03

Reported

2024-10-29 23:06

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

149s

Command Line

yale.functional.possible

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

yale.functional.possible

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
NL 89.238.177.28:7744 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
NL 89.238.177.28:7744 tcp
NL 89.238.177.28:7744 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 749af3b8d53606c7777359dff271710a
SHA1 38c222bd446af5f06b689e6d1edb6be053dc1918
SHA256 507d4a875476633d215eb27e67af2b56c3b12b3403328781850508da7c17a5af
SHA512 1bf956585a5d3c2b246e2f4b05292d28776172257599d71f246404b8124450be8a110b37111f929d1717c8bcb414c99ccb490d98f192b7e6e31dfde7c2bacccc

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 1f38239697428f7208668a15e5ae18b1
SHA1 0376df5efbb87c31db0318cd8cdcaa885b0d5608
SHA256 37cf804fba0ff5085240d98c8523051b68147d3265f537e2b1fd58eeca3bfa75
SHA512 3d9c2c846c6d1570c5510347d5f538b737f25540fb93d3d87ee1c211bc73789b0ea1c9e6bfbd01da8f4f7dd21e7bb9c7c5373104de87f2e0808f24970b72d007

/storage/emulated/0/Config/sys/apps/log/log-2024-10-29.txt

MD5 3af69119804d1d999d56d230338ffd36
SHA1 69350826205583c8acc385ee0a6e3fc2673ee2ca
SHA256 10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c
SHA512 4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb