Analysis
-
max time kernel
2684522s -
max time network
148s -
platform
android_x64 -
resource
android-x64-arm64-20230831-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system -
submitted
16-09-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
26cf03ea897b5a3cda9b1b6c68038e39a739cc0ab386572072be64686a4cf757.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
26cf03ea897b5a3cda9b1b6c68038e39a739cc0ab386572072be64686a4cf757.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
26cf03ea897b5a3cda9b1b6c68038e39a739cc0ab386572072be64686a4cf757.apk
Resource
android-x64-arm64-20230831-en
General
-
Target
26cf03ea897b5a3cda9b1b6c68038e39a739cc0ab386572072be64686a4cf757.apk
-
Size
880KB
-
MD5
2bded47baab3fac7d1ccc9e1e5e3ad35
-
SHA1
d2c329e1385946b128e60392d384c5131313d679
-
SHA256
26cf03ea897b5a3cda9b1b6c68038e39a739cc0ab386572072be64686a4cf757
-
SHA512
42b6b40a5d4280e4760dfa8f47e69bf81c4a0791df0f261c1c5c4ae9b8b9b8405bfe1896b752a311fefd2e0f767855038bcd94528eb58d81a3430a45661a65a1
-
SSDEEP
12288:/tbB1kaJ8nwXigoox75jEbQHYyuG9mVDqZgj74t:/NEaJ8oSEKWQq2/4t
Malware Config
Extracted
spynote
16.ip.gl.ply.gg:23450
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Acquires the wake lock. 1 IoCs
Processes:
waiver.casio.transcriptdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock waiver.casio.transcript -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
waiver.casio.transcriptioc pid process /data/user/0/waiver.casio.transcript/app_mph_dex/dp.kotlin-v1.lua.mph 4656 waiver.casio.transcript /data/user/0/waiver.casio.transcript/app_mph_dex/dp.kotlin-v1.lua.mph 4656 waiver.casio.transcript
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/waiver.casio.transcript/app_mph_dex/dp.kotlin-v1.lua.mphFilesize
1.4MB
MD539fcb4d588a8f1afb2ba5336f9d6568e
SHA10596d168613fcaef54076ae7aa5e6f8a404c9f9f
SHA256366325dc67d8193e615fc5366eae9241c0ef28a643f9f2fb1110840a68210183
SHA5124b8ff35641e97410c617edc3ac3413598942c9b413952bc956126cc8fa391a7daaa9062afd8c05c97d7fa166751aebba8405bf032902b45ca9912efaa5ec080a
-
/data/user/0/waiver.casio.transcript/app_mph_dex/dp.kotlin-v1.lua.mphFilesize
1.4MB
MD539fcb4d588a8f1afb2ba5336f9d6568e
SHA10596d168613fcaef54076ae7aa5e6f8a404c9f9f
SHA256366325dc67d8193e615fc5366eae9241c0ef28a643f9f2fb1110840a68210183
SHA5124b8ff35641e97410c617edc3ac3413598942c9b413952bc956126cc8fa391a7daaa9062afd8c05c97d7fa166751aebba8405bf032902b45ca9912efaa5ec080a
-
/data/user/0/waiver.casio.transcript/app_mph_dex/dp.kotlin-v1.lua.mphFilesize
1.4MB
MD539fcb4d588a8f1afb2ba5336f9d6568e
SHA10596d168613fcaef54076ae7aa5e6f8a404c9f9f
SHA256366325dc67d8193e615fc5366eae9241c0ef28a643f9f2fb1110840a68210183
SHA5124b8ff35641e97410c617edc3ac3413598942c9b413952bc956126cc8fa391a7daaa9062afd8c05c97d7fa166751aebba8405bf032902b45ca9912efaa5ec080a