Malware Analysis Report

2024-11-15 09:55

Sample ID 241110-rdw2ws1pak
Target com.baniiz.kedra.apk
SHA256 6b83c98557eb4ff3de7b140f71af4f797cbedb39629031aa8fb12320dff1f01b
Tags
spynote banker collection credential_access discovery evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b83c98557eb4ff3de7b140f71af4f797cbedb39629031aa8fb12320dff1f01b

Threat Level: Known bad

The file com.baniiz.kedra.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access discovery evasion execution persistence

Spynote family

Spynote payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Attempts to obfuscate APK file format

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 14:05

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:10

Platform

android-x64-20240624-en

Max time kernel

299s

Max time network

301s

Command Line

build.ledear.zrpah

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

build.ledear.zrpah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
NL 91.214.78.180:7771 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
NL 91.214.78.180:7771 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 4a6d8d7e309a7e0e57c43858d5808666
SHA1 bcfefe9407b9b1464b3fdc5c2daf4d28006e31e8
SHA256 1d3b3b700fb12533276cb469bd75ec44f6a5b6f6eb238824a8151e9286931460
SHA512 65d414fc07d6b46a03c0dc2d513189a4ab29f87517086068eae5ca45dde0b4d61453edb89f2c123dd579945f0294451dc0d74d2a66652ee424e54356480faeb7

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 47bf4896695dd37839081267ce5bdc7f
SHA1 5a22524c99760b6bedb78a471103b776441d0184
SHA256 6695a9937b4d80e5da880643272faa5aab78d45be90b092fff8a9235a9e65c67
SHA512 d58d5bbc32e115e8a46efdba89dd9df622c439fd9356fb13974279d09fc5eb4b5391be5a376ce91648a0dfb5fae6250b3a799107e4e05a755f496383ba1de146

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:10

Platform

android-x64-arm64-20240624-en

Max time kernel

299s

Max time network

309s

Command Line

build.ledear.zrpah

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

build.ledear.zrpah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
NL 91.214.78.180:7771 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.200.34:443 tcp
GB 142.250.187.227:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 03399e6f7f228cd83301ffd20a3a6e5d
SHA1 f5e2b18dd419acb790e4d67dcf87e7b183db5cb2
SHA256 6d6f932adc57aa2368f3b0a86619794956249a157f0401ce1f9c121f796c3134
SHA512 de4d8bef635260b70e45c731f7ea974595c385c360170852ea100399087572c2012bfef1a8d45c3bf6fb770d8ba815015857600d94cbba621a5b3a3e5140bbb2

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 17c1690a4556b7b73496094bace3d9b3
SHA1 f5a027ab7edfa20672f505bfb6d3da9c96103555
SHA256 0e5a72e6d5a664254e007a8c564f8a4866b51b8928f5b0ab82b86d937a371b46
SHA512 6628bd2adf078e4dd7c5cbc541c851bad34dd3bf974f557b823d392174a4cffabdbfbd0711a744c570945581363c0b4da0316c8e8f01aafba9961174c732ae14

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:10

Platform

android-33-x64-arm64-20240624-en

Max time kernel

299s

Max time network

305s

Command Line

build.ledear.zrpah

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

build.ledear.zrpah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
NL 91.214.78.180:7771 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.213.10:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
GB 142.250.187.227:443 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
NL 91.214.78.180:7771 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
NL 91.214.78.180:7771 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.2:443 tcp
GB 216.58.201.110:443 tcp
GB 172.217.16.230:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.179.228:443 www.google.com tcp
US 216.239.34.36:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.178.1:443 tcp
GB 142.250.187.227:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 73ca8d6af8fdcb567754847440dbfa88
SHA1 b1472b764ff81d8165ddfd2958a67aa0d4abddf4
SHA256 2296954497d649bc19a7b3213d05d51fc1a68ff71e7de01a7edd56ca0828f14d
SHA512 7fb52bb85e0e34f6a3ba928d5e88c2f004344bbd6ae3c163088e6aaaa59b5ce60484c78f93c10deabc6051323f7bbc0c87983ad260ebcb03cc42e49dc7b0019f

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 fd8ed43ac31bbf329c395582c15753cd
SHA1 3c76ee3fa79dde645c0447d6b23d6f435efb3b72
SHA256 049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf
SHA512 77bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-10.txt

MD5 33decfc10531cda4b93af7245a4a2d58
SHA1 8c185d417b9ad0d560cfbf41a596379e73a2a9bd
SHA256 dfa4864bbea8c585838bdd72cdebc2da32e9efffdbc1f2d4f34fe5b0cd192c42
SHA512 d810e441243287f5aadeac847106c337e890c24cf806bfee2847cc3a01618a15088b27c76f27308140574083938381d3427eb52949cb12f13d22f4858058f118

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 14:05

Reported

2024-11-10 14:05

Platform

android-x86-arm-20240624-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A