Malware Analysis Report

2024-12-01 03:12

Sample ID 241111-vrracasdqf
Target ceксуальные фоточки.apk
SHA256 0fefe74d649c4a9026762b125c3a9bf9d9b81397f098897bf40e7198b22ad147
Tags
spynote banker collection credential_access evasion execution infostealer persistence rat trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fefe74d649c4a9026762b125c3a9bf9d9b81397f098897bf40e7198b22ad147

Threat Level: Known bad

The file ceксуальные фоточки.apk was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access evasion execution infostealer persistence rat trojan discovery

Spynote

Spynote payload

Spynote family

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Legitimate hosting services abused for malware hosting/C2

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Makes use of the framework's foreground persistence service

Resource Forking

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 17:13

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

highs.isolated.onto

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

highs.isolated.onto

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/highs.isolated.onto/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp

Files

/data/data/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

MD5 9121fe8b27e2555f7bd0a0d98a87f5c9
SHA1 a89092cf8c5ba5fe4588795b43a7ab4ba624e26a
SHA256 fa2f7427bb06bb32ce75a641317aff06215ee1ee729fb533e3185eb6fd039e4f
SHA512 ad17edfba4efa19e5dc2a12bde7dddd422001bb563235eb90109dc309de09bec72879398eb9f8e42fae2a3a285035bbf03ca2e1709fdff14c3ee740c640ac66e

/data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

MD5 1350536f9016bc8248d7afe33667631b
SHA1 48b4bf420af3894cdb4a13ba2497527f1c25be07
SHA256 b51235742289a393597bbfde680ddf68a9fd85023e27c76cd48063300b67df71
SHA512 77ae2d5e424568668ee1b0cfa9d1dac2833001f13884b5f66305844a8e9af82c57ecc6f8916676286e2d17179ead2690d0f5f8dca086b6c416559256638a9107

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 0e2c531058b7ba86b8278e5103fcb6b1
SHA1 07624f9348bbf1b68166e9fa3889792d17f2a7bf
SHA256 4194d91d3c28557e2933fb821052cb229d34edb427ecd5c9caa76c2fe6a1b198
SHA512 f3f64222df65bb6a0df7081e172c75a2a987a76108844606d01b73774c661068c5e9b610a87940f824f5403f19aee64415fcdfddbde5d776e7d92b50f4b738f6

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 4262b2da9743d7bd22721ab622bdaed1
SHA1 f48e52a5ade483ef4f91f6af47c577260d4ce8d3
SHA256 b334a8aa870a7010368d979cdadffc687ef58e543b00ad2be05cf1d3069f20f8
SHA512 772bf8bc365b8b703d14fe3d26f9dcbfddf27810fd6913bfa757cc61b2388ecf76cc011cbe65778ae254062cf321339104c996128d81897d61c28caa8ef007cd

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 5971799fd5c8426f2052e572b7b42256
SHA1 b227c5af9abd84aa926baf47d37c769c46bd6326
SHA256 cecd5d609979c026f9516e1b0811bce025bd096e7754e1fdc2ff4c16a55d8fae
SHA512 57e58569ffe3cdf8ec8558b6e2fc2f81bfd0989331bf1e0981251bbb50885c6cdc5ecb83dd1bb403edd63bcc6988f4871b1cf05a4893709da4e7e84fd31bde8a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 d02434b5bafa95a4f5cf759bc2874d00
SHA1 64ea5089fd67106636ae5080cd19fca1dc2ff6d4
SHA256 41f7fb0bda7cf332ff0a6970eaf5bee5a37ef17062436a07b734b66c32ea3c4a
SHA512 cb79a158c6fc092ec9a1fb8a6225c75dc93aa0eab8e42ab8fd1bad78eac3584f247841d832d941a3c1c22b761532a83631794fcf3fbd44f391802f15128f2b9c

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 ca68baab0f1316a8cde82699ec235743
SHA1 3dd60ece1027599714d179b4ab822c90f3664bbe
SHA256 a624b2f31ae4b4bbfaf59a7237388e9314dc60167e38b8f942757e9eff291fca
SHA512 1d8294dbcba8e2ab1137ff1b7dcf83767b0ba6d8084218b63e2e87a560d1c17740ee37b058c7a647e5e8796f3acfdcbb945bc15d0c0aaf26ca2db64af48e0604

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

0s

Max time network

2s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

highs.isolated.onto

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

highs.isolated.onto

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
DE 3.79.221.78:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp
DE 18.198.52.32:29472 8.tcp.eu.ngrok.io tcp

Files

/data/data/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

MD5 9121fe8b27e2555f7bd0a0d98a87f5c9
SHA1 a89092cf8c5ba5fe4588795b43a7ab4ba624e26a
SHA256 fa2f7427bb06bb32ce75a641317aff06215ee1ee729fb533e3185eb6fd039e4f
SHA512 ad17edfba4efa19e5dc2a12bde7dddd422001bb563235eb90109dc309de09bec72879398eb9f8e42fae2a3a285035bbf03ca2e1709fdff14c3ee740c640ac66e

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 f2e91c333a24b62b032a15e8c4f61ddb
SHA1 914c1477e80e1701694b7bee7d5a17139197f3b5
SHA256 e98520f18a529dc84fa8f6d4277859ee6081dabb8d9c743f9ae9c0be5f84ba88
SHA512 a9b6fe06f4335f0e9a71760d6e491a1a1a10735bb621e6edbfddbaa23752791696d76efe0d9ca1a12e17d5cd89d1c0036669f97c2c2708d4ec4cfca2f2be4ee8

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 a2add32bf8e6a9835608f5d3d59d62c4
SHA1 63a7b0b127cda761511c77bc72e4848094558eca
SHA256 e8c1cf7509a524af7deb6cd7ed39c8705272708f43fb5560e0830286ae9009a6
SHA512 a85fd4e838a0d20ffa7a91d536fe7e6d4da4a69f5240906ff7b9093434974840f214f53c094eb1cda3c4fb51a0dcc2b7b35065458bff7cece693f73312cacc6d

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

debian9-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

3s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

android-x64-arm64-20240624-en

Max time network

155s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
BE 74.125.133.188:5228 tcp
GB 142.250.187.227:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
GB 172.217.169.78:443 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

debian12-mipsel-20240221-en

Max time kernel

0s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

win11-20241007-en

Max time kernel

91s

Max time network

94s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

macos-20241106-en

Max time kernel

66s

Max time network

141s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/ceксуальные фоточки.apk"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer N/A N/A
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/ceксуальные фоточки.apk"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/ceксуальные фоточки.apk"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/ceксуальные фоточки.apk]

/usr/libexec/pkreporter

[/usr/libexec/pkreporter]

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer

[/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer]

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged

[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]

/bin/zsh

[/bin/zsh -c /Users/run/ceксуальные фоточки.apk]

/Users/run/ceксуальные

[/Users/run/ceксуальные фоточки.apk]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

/var/db/nsurlstoraged/dafsaData.bin

MD5 64f469698e53d0c828b7f90acd306082
SHA1 bcc041b3849e1b0b4104ffeb46002207eeac54f3
SHA256 d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd
SHA512 a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

debian9-mipsbe-20240611-en

Max time kernel

1s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

debian9-mipsel-20240729-en

Max time kernel

0s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

134s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

win10ltsc2021-20241023-en

Max time kernel

98s

Max time network

140s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

13s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:14

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/ceксуальные фоточки.apk]

Signatures

N/A

Processes

/tmp/ceксуальные фоточки.apk

[/tmp/ceксуальные фоточки.apk]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.apk C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.apk\ = "apk_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ceксуальные фоточки.apk"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-11 17:13

Reported

2024-11-11 17:16

Platform

android-33-x64-arm64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

highs.isolated.onto

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A
N/A 8.tcp.eu.ngrok.io N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

highs.isolated.onto

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.200.35:443 tcp
US 172.64.41.3:443 udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
GB 142.250.200.35:443 udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
GB 142.250.200.36:443 udp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
GB 216.58.201.99:443 tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
DE 3.74.121.88:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
DE 3.77.161.152:29472 8.tcp.eu.ngrok.io tcp
US 1.1.1.1:53 8.tcp.eu.ngrok.io udp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp
DE 52.59.102.101:29472 8.tcp.eu.ngrok.io tcp

Files

/data/user/0/highs.isolated.onto/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

MD5 9121fe8b27e2555f7bd0a0d98a87f5c9
SHA1 a89092cf8c5ba5fe4588795b43a7ab4ba624e26a
SHA256 fa2f7427bb06bb32ce75a641317aff06215ee1ee729fb533e3185eb6fd039e4f
SHA512 ad17edfba4efa19e5dc2a12bde7dddd422001bb563235eb90109dc309de09bec72879398eb9f8e42fae2a3a285035bbf03ca2e1709fdff14c3ee740c640ac66e

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 d02434b5bafa95a4f5cf759bc2874d00
SHA1 64ea5089fd67106636ae5080cd19fca1dc2ff6d4
SHA256 41f7fb0bda7cf332ff0a6970eaf5bee5a37ef17062436a07b734b66c32ea3c4a
SHA512 cb79a158c6fc092ec9a1fb8a6225c75dc93aa0eab8e42ab8fd1bad78eac3584f247841d832d941a3c1c22b761532a83631794fcf3fbd44f391802f15128f2b9c

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 2f11c0f171c486b5348081d9aed35aa5
SHA1 fff6ea893cb148c73786e2f9ed58a00eae0edea3
SHA256 e1b6daedf9f44bac415663ad6ed5dd676f8017572bbd39fd614f8260ef1a8926
SHA512 905393eb96baf84165e4abf66fac80f8d74b366ca900928becefad900e71844ab4e17dcdb4c8093fbcb47a21ebf98f1b38f341e918a25bff7909a037445f2021

/storage/emulated/0/Config/sys/apps/log/log-2024-11-11.txt

MD5 12addd9a71435a3969cacfd169ce8bf3
SHA1 20c0f94730a4b3b8a27bd184f3b09be5cfbf5263
SHA256 202caf0697a956a5b984e2655d425531b86697bd769155ae48f71423235c24eb
SHA512 10d6706506598cf2663c2ec9de6902eda359f88084469dca6c3fc92264d014d280164bff6bb8423ac2d1a50fce24514c30943d6f9280870d561ce51bad1c99ff