Malware Analysis Report

2025-01-23 12:23

Sample ID 241030-14epzatlcq
Target Porn Hab Premium.apk
SHA256 4d8bb1bb46296f968181182372243a0fa2aaea80a4cf82f927922c337f478f32
Tags
spynote collection credential_access evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d8bb1bb46296f968181182372243a0fa2aaea80a4cf82f927922c337f478f32

Threat Level: Known bad

The file Porn Hab Premium.apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access evasion execution persistence

Spynote family

Spynote payload

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Acquires the wake lock

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 22:11

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 22:11

Reported

2024-10-30 22:14

Platform

android-x86-arm-20240624-en

Max time kernel

119s

Max time network

100s

Command Line

quad.viruses.selective

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

quad.viruses.selective

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 51.132.229.252:7771 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 51.132.229.252:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 d30c5b8b39269cda2676ef46b7d10f4f
SHA1 07171670a8156caed6ff6d0f67313a197f196650
SHA256 5829921ed3997704525a94e1d7ff9bd8f562c8cbd59ecd63e2dcf82519bded13
SHA512 142b05e527ec52d21832bbd927e36cd901bcc4c4bc8bfbdef554506b365b225cc5b1368a2f98fcf9f61ff60d4a929d4d7e443f877bb03d69235c46ba219570c6

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 4e56d742c3eb058be4394a5ceca514ee
SHA1 f45ddcf2dea3cd1658b24b689551d6891ed2534e
SHA256 4a2c2767d6cd347d7d6628f658ff7b9456e4eb55f1bef2ff453191b7cbd1ecda
SHA512 87de640561a00c8590af7ec819c0844ca979307d3d341236aef6ff20b4eab4005e7ab174fdba2d7b895058ae4f625cc8718253e2aa23ce804b75a029d75db1d1

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 c9db0aece56267f06c34e62d03659b4a
SHA1 e52a55ea4e5a0d30d70e90a5f5833a39370609d9
SHA256 d77bace5ecc67118face00462acf4fdb6724b5a1647a37b1283e8ca8d316ed80
SHA512 f8f1b07bbfe3837598288ac5935e7ad7e7ccaabbeb90b41903717a62d69a37cbbcc7a9ab63ada7b714f31a333270fd626abf40a27e26fad2a909e12a0d6468b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 22:11

Reported

2024-10-30 22:14

Platform

android-x64-20240624-en

Max time kernel

119s

Max time network

115s

Command Line

quad.viruses.selective

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

quad.viruses.selective

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 51.132.229.252:7771 tcp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 51.132.229.252:7771 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ab19537803e1f157481382919eda0efd
SHA1 24a2bd926fe0fe31f5e380d2a898a2287a3653dd
SHA256 a7910c4a9aa5f0cf3247e67ba20b38da9498c7f6d8e7c30376f9d34bdc3f1254
SHA512 6afa3dc2fd7f76e55abeda575d5d8b5c10ed481188030c60c5e10712571918a5412a51b9f12d36fedc8b205c230dc95afae369c1b2e8f463d35b0b57d1b09884

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 d30c5b8b39269cda2676ef46b7d10f4f
SHA1 07171670a8156caed6ff6d0f67313a197f196650
SHA256 5829921ed3997704525a94e1d7ff9bd8f562c8cbd59ecd63e2dcf82519bded13
SHA512 142b05e527ec52d21832bbd927e36cd901bcc4c4bc8bfbdef554506b365b225cc5b1368a2f98fcf9f61ff60d4a929d4d7e443f877bb03d69235c46ba219570c6

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 1c9dbe4b41975ff6fa7ad43e3afbaa3e
SHA1 35fbd48d1c7c221937a3f88d8e172cc63de0d4f7
SHA256 434f2924fdf8b7bcc996ec1240d1f302350267863814ec279368bd2280ea3cd0
SHA512 12b144eb2b10e8666237fc57bd51acb127aed43f6cfa0de38f2f0cc390ed4be448012115e4f71c4ce86d18377583be9a69ed09373c06edb81135c3f20aba8137

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-30 22:11

Reported

2024-10-30 22:14

Platform

android-x64-arm64-20240624-en

Max time kernel

119s

Max time network

103s

Command Line

quad.viruses.selective

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

quad.viruses.selective

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 51.132.229.252:7771 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 51.132.229.252:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 d30c5b8b39269cda2676ef46b7d10f4f
SHA1 07171670a8156caed6ff6d0f67313a197f196650
SHA256 5829921ed3997704525a94e1d7ff9bd8f562c8cbd59ecd63e2dcf82519bded13
SHA512 142b05e527ec52d21832bbd927e36cd901bcc4c4bc8bfbdef554506b365b225cc5b1368a2f98fcf9f61ff60d4a929d4d7e443f877bb03d69235c46ba219570c6

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 fee1fc368d495276be82a6e3860d5786
SHA1 010ab11c7beaaa553b90a99be81aea423733a612
SHA256 90fea0d1b7b87f07219da64eda78b3649635e5b24b6804bcb6593f1dea6847e4
SHA512 e1a9918ae437954ca90a336cce569bc8063dcced9e82ac47b285391fe2b3dc88cf38763c66241601fe27fcef0b295ae1d523dc65cd43172f3fcbdabf37890ecf

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 b9b530e2448252311640bbecb69b796a
SHA1 215ede46fb42a68a7ae84c3019acb3019668a46c
SHA256 5a290151305de1ec4f790cd8ada8bd68c076a2c4ed497c40a519509659b65150
SHA512 5834499307946d130887067b2f837ddfef7fdfe3a7e5ed8977eb14c2dc1ab328334da35ed4c978e20b3e6b28ff30dbd12f0430f4b7c831481f339d360c260919