Malware Analysis Report

2025-01-23 12:29

Sample ID 241031-gxc31ssbke
Target Linken Sphere.apk
SHA256 77277306eee10a779f8e9747e036fbc37cf4ab04dccb605e5a5f07291f102199
Tags
spynote banker collection credential_access discovery evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77277306eee10a779f8e9747e036fbc37cf4ab04dccb605e5a5f07291f102199

Threat Level: Known bad

The file Linken Sphere.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access discovery evasion execution persistence

Spynote family

Spynote payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 06:10

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 06:10

Reported

2024-10-31 06:12

Platform

android-x86-arm-20240624-en

Max time kernel

59s

Max time network

45s

Command Line

yemen.ef.evidence

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

yemen.ef.evidence

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
FI 109.107.182.213:7771 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 04749fa54ae57c46c0d26fa15c0eae2e
SHA1 8253e3a830da982e23afb229f247f3c32166676c
SHA256 3d0abf2d4c27fbabe603e407de6616a0e17fc02c63e2cd6e88f67685204769b1
SHA512 0097d1e54df6d7e1d9236cde33dafc9212ed9b1d6841102e4b76fa922e060f764baa6e407158a48b8796b64dac12adcab54e69b274a6230c42e6efaa012547b2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 aa821b71d8634752593fa73a27c5cea6
SHA1 2c35bc07bce159c205ac0b8c5676b7f6fcdd5fe0
SHA256 6b6cbe768468d68e3952af8fbfa6a6ad8b30eed43b0f6024f8dad1f5ceea5a10
SHA512 ad70bbd9977fe2138c5aed8480306cddf0675105bb243526312aaa9ebbbbcea63d4eec51869db0dc21c91d757ac3db26f7d9821265f5b4dbd7ab939c6055c8d3

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 3af69119804d1d999d56d230338ffd36
SHA1 69350826205583c8acc385ee0a6e3fc2673ee2ca
SHA256 10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c
SHA512 4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 06:10

Reported

2024-10-31 06:12

Platform

android-x64-20240624-en

Max time kernel

59s

Max time network

57s

Command Line

yemen.ef.evidence

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

yemen.ef.evidence

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
FI 109.107.182.213:7771 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 04749fa54ae57c46c0d26fa15c0eae2e
SHA1 8253e3a830da982e23afb229f247f3c32166676c
SHA256 3d0abf2d4c27fbabe603e407de6616a0e17fc02c63e2cd6e88f67685204769b1
SHA512 0097d1e54df6d7e1d9236cde33dafc9212ed9b1d6841102e4b76fa922e060f764baa6e407158a48b8796b64dac12adcab54e69b274a6230c42e6efaa012547b2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 5b7f059f00d326c56afb4075a6a31ffd
SHA1 6607585a1604e4512ecca69f51f4e825063891e9
SHA256 6b410627e6677da3ce4060527805ee67bdb3aabe4de3de2a73edfdd2b320217b
SHA512 094ee93c04d97dc96fbfba8d2e1d493f3523b33e3b0c2393cdc9bcaedfbf67bbd0853bf2c75cc7c88626d478f9f588dadbf0fa704bba3882befc806ce9342502

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 3af69119804d1d999d56d230338ffd36
SHA1 69350826205583c8acc385ee0a6e3fc2673ee2ca
SHA256 10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c
SHA512 4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 06:10

Reported

2024-10-31 06:12

Platform

android-x64-arm64-20240624-en

Max time kernel

59s

Max time network

68s

Command Line

yemen.ef.evidence

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

yemen.ef.evidence

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
FI 109.107.182.213:7771 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 b9e1f78f11d30dafda9257b148762020
SHA1 b9975a13355c48bafca7e9a24c0bba6c726b72d8
SHA256 b7f8610b97aa55681f31cdba26c97a37799b7f5924d52114b02c27b37eed2434
SHA512 599c5056a2f6066b7d4bcb471fd6d3b8b82db4f3caaa59c463db6ece440bbc2bbdfc04c926bf024241e1910c3acf0c35f5a91cab4a0db09159f00ca136afb385

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 04749fa54ae57c46c0d26fa15c0eae2e
SHA1 8253e3a830da982e23afb229f247f3c32166676c
SHA256 3d0abf2d4c27fbabe603e407de6616a0e17fc02c63e2cd6e88f67685204769b1
SHA512 0097d1e54df6d7e1d9236cde33dafc9212ed9b1d6841102e4b76fa922e060f764baa6e407158a48b8796b64dac12adcab54e69b274a6230c42e6efaa012547b2

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

MD5 b59073c264159ae68bf48d0212d9ad00
SHA1 7b50f205395c6a583229cbfa66571b10193f86c0
SHA256 144f49b8ec13c5550ea78609c5c0a5c6d708d7083d0282b7aa5b4954cf36ce7f
SHA512 7070d4a189ebb30ee8a9cc14baabd534c6511ae3cabf8cb1821ac15f081470b0ec7832a3db14d7d4ac39b99d370a13efd06c11c8f064671f5315f039207d1bbc