Malware Analysis Report

2025-01-23 12:28

Sample ID 241030-w44a4szqhk
Target Kepcontact.apk
SHA256 59fb44b5a4f24b5cc4e54da553d20806575825ac9fe56dcb2cf8c076172d82f3
Tags
collection credential_access evasion execution persistence spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59fb44b5a4f24b5cc4e54da553d20806575825ac9fe56dcb2cf8c076172d82f3

Threat Level: Known bad

The file Kepcontact.apk was found to be: Known bad.

Malicious Activity Summary

collection credential_access evasion execution persistence spynote

Spynote payload

Spynote family

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 18:29

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 18:29

Reported

2024-10-30 18:32

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

147s

Command Line

boston.combined.mpg

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

boston.combined.mpg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 51.132.229.252:7771 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 51.132.229.252:7771 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.98:443 tcp
GB 51.132.229.252:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 f6cd120bfa83c4c60079cda6544a6298
SHA1 624efaca2d8b89f6f0fbe8407ac805f6c05c4938
SHA256 2506b9602a9d3ac6628c7bc9596671fc6ca6b152da40658d71a1fe8ccbc623bf
SHA512 1037ae596ee04b4c12164168d470326e16c0011171d2d6d4cc9f09b9c6b5f6e520cf75b7ae41b3c95898eb2231e323a0c82c1c26a681837467f9daafaac46c3d

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 6187c8ac2ad8253ede26021be4e46542
SHA1 962ecf49b67ee7d0d1dbe08e9ec682ebd34b5631
SHA256 1af08dd89d59715d57fc80c1b2209c2a415e273c9e6ea6cf8d17d5cf4bb6ab19
SHA512 5f3efb6871a8247c0cf659fbf8498f4dff2467fba7974f669ff3853c629ba10802d18269ea0b4ca5299772a601ce7c6613efdff1c891c2c4782c7ed63c7d2166

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 3af69119804d1d999d56d230338ffd36
SHA1 69350826205583c8acc385ee0a6e3fc2673ee2ca
SHA256 10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c
SHA512 4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-30 18:29

Reported

2024-10-30 18:32

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

boston.combined.mpg

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

boston.combined.mpg

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 51.132.229.252:7771 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 51.132.229.252:7771 tcp
GB 51.132.229.252:7771 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 cb59d5a4a2f7cbd498ce3370a90518a6
SHA1 695c617d44f10c54b3a12fc9cc7c8cdd28499b3c
SHA256 71d635b558972111d216eaeee750b40a15f9dd04be804c188f75c1581f8c8605
SHA512 431b6c8f713fe899bea5e520858b43d688cf44e622571d85a98aabd5ac64d94ff883dfb1f2b07e2241ebd5b56835ddf6da773fe38355924ce3569cf45ff582ef

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 f6cd120bfa83c4c60079cda6544a6298
SHA1 624efaca2d8b89f6f0fbe8407ac805f6c05c4938
SHA256 2506b9602a9d3ac6628c7bc9596671fc6ca6b152da40658d71a1fe8ccbc623bf
SHA512 1037ae596ee04b4c12164168d470326e16c0011171d2d6d4cc9f09b9c6b5f6e520cf75b7ae41b3c95898eb2231e323a0c82c1c26a681837467f9daafaac46c3d

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 037e8d7a905ca487184d62ff17ea606c
SHA1 4a0d2d390cd50a013ff4fca93896cad0d4b20845
SHA256 dbe1aacdb288280951d01f75761d1bdc0d2e7928e1459c9eadb5e6df244becb7
SHA512 4e20e187235b44d54184fb999dbe06f573f2516220baeef1815148fc4ec271fdc644d0209e91659bb1cd2301379b1a2dbee5b4a1f2f97ff831b252ea1c8fb8e7

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 18:29

Reported

2024-10-30 18:32

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

144s

Command Line

boston.combined.mpg

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

boston.combined.mpg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 51.132.229.252:7771 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 51.132.229.252:7771 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 51.132.229.252:7771 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 f6cd120bfa83c4c60079cda6544a6298
SHA1 624efaca2d8b89f6f0fbe8407ac805f6c05c4938
SHA256 2506b9602a9d3ac6628c7bc9596671fc6ca6b152da40658d71a1fe8ccbc623bf
SHA512 1037ae596ee04b4c12164168d470326e16c0011171d2d6d4cc9f09b9c6b5f6e520cf75b7ae41b3c95898eb2231e323a0c82c1c26a681837467f9daafaac46c3d

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 3e5d1367d71aedfcea4e57f54a2bb85e
SHA1 bb2d0791c40e772f58f8bb29232a87f46353f237
SHA256 b644dea4fbd485936c63e913132db725408e359d7d25645ce9335eeef4f44cb8
SHA512 c9b937a49f325047c951a554503cd678299a0d915a937a32fec68a00b0263fa16fbb5dc1a2dc7fadec7c21077f28cddc4e43b56616625641621d8aeb567aa527

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

MD5 183771ef5c12cb70afe7acd6eb46ae23
SHA1 dbb628f793de661358bcae42a007b16589ce2e91
SHA256 6369baee79e2cf6a81f5cc3a09c8cc8ae7e95a3fd7c904dcff669f35c91e887b
SHA512 bbf4d556530cb9225fac65286c0bbe67426afb140f003107e1ab87654a58e9cd508c382419f4b5f0a35c8af1c9d175d67b7a3bb5c457604f0d63dd9066cc59a8