Analysis
-
max time kernel
4092279s -
max time network
152s -
platform
android_x86 -
resource
android-x86-arm-20231023-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system -
submitted
21-11-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
Resource
android-x86-arm-20231023-en
Behavioral task
behavioral2
Sample
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
Resource
android-x64-20231023.1-en
General
-
Target
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
-
Size
992KB
-
MD5
cbaf2da6a483775b934faabd5b40bed6
-
SHA1
0ba2eb6661e6d7f03e0a2ef08ea75296990ac6fc
-
SHA256
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546
-
SHA512
917b65d79f323c045bb7a39cc47e432de18cf3b942698fb2056d4bbad0be8d3ba8f7ff3102b078722a87c71ba609d028c910fa66edb06582f23c8101d1a4a6e3
-
SSDEEP
24576:BhzkORPhgzQc8RkQ4dh2iynuPyt9XktndMCngUPvJCYPMqlRnV:rRJgp8RkhdQiynq6XktndMfasYPMUV
Malware Config
Extracted
spynote
192.168.0.105:8080
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId mountainy2.scored.claims Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId mountainy2.scored.claims Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText mountainy2.scored.claims -
Processes:
mountainy2.scored.claimspid process 4240 mountainy2.scored.claims -
Acquires the wake lock. 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock mountainy2.scored.claims -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
mountainy2.scored.claims/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/mountainy2.scored.claims/app_ded/oat/x86/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex 4240 mountainy2.scored.claims /data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex 4264 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/mountainy2.scored.claims/app_ded/oat/x86/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex 4240 mountainy2.scored.claims -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS mountainy2.scored.claims -
Removes a system notification. 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag mountainy2.scored.claims
Processes
-
mountainy2.scored.claims1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/mountainy2.scored.claims/app_ded/oat/x86/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
rm -r/data/user/0/mountainy2.scored.claims/app_ded/oat/x86/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.vdex2⤵
-
rm -r/data/user/0/mountainy2.scored.claims/app_ded/oat/x86/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.odex2⤵
-
rm -r/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dex2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dexFilesize
1.3MB
MD54201e1264f8f89eb8ec361e57ce5215e
SHA1a5263ea06fbf50ebe4c7a0218ae1aa6c91eb8e71
SHA256e9cdea14278724ddf4c1d9512673b37d20c5ddb85b62ce1d1ed20a37a310e94a
SHA5126df12975aecadef877a91fc7bf77925028a481868b4003866d7c895accd4c4ef56046f101454855ce15b1fbaa627e92e900e730e1e45f1162e766838daa3b7f7
-
/data/user/0/mountainy2.scored.claims/app_ded/SBbL8WvOCMNBmZUM78Rc9DZfQfBPAR0l.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
275B
MD5633483e3664b325ddb9bf101fd4a4187
SHA14cec48d6e2f70728bb12f8fcd4198eefde89fa58
SHA256b0cd5155ed0d0fcf5973693df5f7ee6081e3cf99aa70346617c12a7f8290ab03
SHA51270c02bde75fcee42a8e198ba56fb602c5763a5da4e89524f3e415184313636b8b09ddb80d77c7d123a68eeb8d4eb50c533994adc97b8ebbcd38166d1f4131b64
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
20B
MD59b8be9ba788425fa4b290d771e5f7486
SHA11bdc9b903b9cdd67c54e965da5c3e70f3a95af44
SHA2562c6277b7a3550097607552d8ede4b72de32d76ecf8723af82ab748283b1a5ec9
SHA512a4edb5f7f33a29b011668200ba4c9b1614f91238909137e3148d537d22cd4cf09813cbce4757479f0a0b961a67c6d43888e0996e7e738b36748a1b1bc0a2ba2b