Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-n642essrgs
Target ready.apk
SHA256 1dcf0f059a6d7cf1c41aae4272248b6315a086b3190a5ca4d002842c1f12ab9d
Tags
spynote collection credential_access evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dcf0f059a6d7cf1c41aae4272248b6315a086b3190a5ca4d002842c1f12ab9d

Threat Level: Known bad

The file ready.apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access evasion execution persistence

Spynote family

Spynote payload

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 12:01

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 12:01

Reported

2024-11-09 12:04

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

consideration.documented.indians

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

consideration.documented.indians

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 getting-traditions.gl.at.ply.gg udp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 9b34035f49b41c6570eabd93938f6d9a
SHA1 431432361dd3deaa06eb8a7031da2b489fbf8f0e
SHA256 3eac71cedb99b42276a8c5efbe5f522b2db2f737c24cdafd0b8e233b66cd42cf
SHA512 3a73d0aad4d7c07ebe8101042c66827664a39a24eb449c94d7564c12911f0bfd361c374abb20366f458b83969898509726df4c3c9be95f3914b48799957b6d1a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 beeee0c05632c572484e90ff57994a29
SHA1 1ca5c1dc3b318b56162aa2eb49d43dd4cf2ae841
SHA256 a0962c700a11a232386ceac135e0343d6aca311ff0cceb75556e0c45fb8fc527
SHA512 caed1d80812a0eb2ec34e117d0424eabb4d2128fa58d5c77dda5fc25458a47cf43719d98a36d1f5007b22bc546a76f1531de4006d0e49807d697b43d0e4fefdc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 12:01

Reported

2024-11-09 12:04

Platform

android-x64-20240624-en

Max time kernel

59s

Max time network

155s

Command Line

consideration.documented.indians

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

consideration.documented.indians

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 getting-traditions.gl.at.ply.gg udp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.180.10:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 beeee0c05632c572484e90ff57994a29
SHA1 1ca5c1dc3b318b56162aa2eb49d43dd4cf2ae841
SHA256 a0962c700a11a232386ceac135e0343d6aca311ff0cceb75556e0c45fb8fc527
SHA512 caed1d80812a0eb2ec34e117d0424eabb4d2128fa58d5c77dda5fc25458a47cf43719d98a36d1f5007b22bc546a76f1531de4006d0e49807d697b43d0e4fefdc

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 c1c157b8fa46f9cb68f88076d7b7614e
SHA1 15fe430b152b2411a6b36e9a6e9da64badf6a7c1
SHA256 c42282ffcc44fb3cf3572a97151979f886f17fe85402a0ba7df3ba2c3f529815
SHA512 ae80cf88cd90d54f36d2ca33b216820a9079c6637362c85d985de0ee21e5390b07933484f6b0cb34a838911ee27316e5f652b64cb17b131754efa79ee5b03d2d

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 960582e4e5821b2449ea51c841c5085d
SHA1 d80b508f7e22f01e2ff43a5bdd93fb00b2155637
SHA256 1dee423381d573cf2bccdc4887e94f64e6fe6d921082fcb512bff9c5fa92f24d
SHA512 caadff84f0befb8a7a0fd4170d2e7cdea3b507cb1863a493ce82c20e415982a65ecad55ab5053d05c3a947e787168fd2705a8bb83eca9175b94e569964241387

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 12:01

Reported

2024-11-09 12:04

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

consideration.documented.indians

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

consideration.documented.indians

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 getting-traditions.gl.at.ply.gg udp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
US 147.185.221.23:52948 getting-traditions.gl.at.ply.gg tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 beeee0c05632c572484e90ff57994a29
SHA1 1ca5c1dc3b318b56162aa2eb49d43dd4cf2ae841
SHA256 a0962c700a11a232386ceac135e0343d6aca311ff0cceb75556e0c45fb8fc527
SHA512 caed1d80812a0eb2ec34e117d0424eabb4d2128fa58d5c77dda5fc25458a47cf43719d98a36d1f5007b22bc546a76f1531de4006d0e49807d697b43d0e4fefdc

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 35029f704c2e9f54f09f7c4fcf958b6e
SHA1 aa90baf4fed34a19f1f4ddfc5b6a19283b1e350a
SHA256 e2bf173eec817dae170486929e35843a356b13c3e95a16d1e95a50251b8b8747
SHA512 88fd229b2531bccc0f60a11440d8c700b518076351183640a69e4eb9a2c534d40a4d8a5f60f1e7d0788b4836b6311c0e6f9087229dd398d0a1a91e2623dccfd7

/storage/emulated/0/Config/sys/apps/log/log-2024-11-09.txt

MD5 17c1690a4556b7b73496094bace3d9b3
SHA1 f5a027ab7edfa20672f505bfb6d3da9c96103555
SHA256 0e5a72e6d5a664254e007a8c564f8a4866b51b8928f5b0ab82b86d937a371b46
SHA512 6628bd2adf078e4dd7c5cbc541c851bad34dd3bf974f557b823d392174a4cffabdbfbd0711a744c570945581363c0b4da0316c8e8f01aafba9961174c732ae14