Analysis
-
max time kernel
4092290s -
max time network
164s -
platform
android_x64 -
resource
android-x64-arm64-20231023-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system -
submitted
21-11-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
Resource
android-x86-arm-20231023-en
Behavioral task
behavioral2
Sample
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
Resource
android-x64-20231023.1-en
General
-
Target
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546.apk
-
Size
992KB
-
MD5
cbaf2da6a483775b934faabd5b40bed6
-
SHA1
0ba2eb6661e6d7f03e0a2ef08ea75296990ac6fc
-
SHA256
d7326f85e838f6298f5c9e8626d889c1a15757319754dc57d8703dff3f45c546
-
SHA512
917b65d79f323c045bb7a39cc47e432de18cf3b942698fb2056d4bbad0be8d3ba8f7ff3102b078722a87c71ba609d028c910fa66edb06582f23c8101d1a4a6e3
-
SSDEEP
24576:BhzkORPhgzQc8RkQ4dh2iynuPyt9XktndMCngUPvJCYPMqlRnV:rRJgp8RkhdQiynq6XktndMfasYPMUV
Malware Config
Extracted
spynote
192.168.0.105:8080
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId mountainy2.scored.claims Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId mountainy2.scored.claims Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText mountainy2.scored.claims -
Processes:
mountainy2.scored.claimspid process 4342 mountainy2.scored.claims -
Acquires the wake lock. 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock mountainy2.scored.claims -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
mountainy2.scored.claimsioc pid process /data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dex 4342 mountainy2.scored.claims /data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dex 4342 mountainy2.scored.claims -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS mountainy2.scored.claims -
Removes a system notification. 1 IoCs
Processes:
mountainy2.scored.claimsdescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag mountainy2.scored.claims
Processes
-
mountainy2.scored.claims1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
-
rm -r/data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dex2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/data/user/0/mountainy2.scored.claims/app_ded/gB5VdvVdcqa0HFPPzbllGJYDJjnXiiTH.dexFilesize
1.3MB
MD50db3e8e486f47d80fe56ac9ae0eb871b
SHA10822d78837b027deef36a7c1bd62ae9629c19956
SHA256f32452b8bbe2444257659cc4656aa41490a3f93f919eabe99632a30c610f5647
SHA5121f8122b13e6bd05d1a6ed2dccbaff9faef6258e220270ecdbb2cd35474cb24d82ffd7dc6c28ede8727873eaa36b209d3f844cba0dc2c5caef4f43214ccfba824
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
28B
MD5b29ab0a0aff1b76c061cc321ebf44c28
SHA1cb29132433ed037310ca08b35c90d9f810f1c000
SHA256465165a3f3337eb3b5610a70c3cb2557101bedb3e53dddf36e2570577ddd1652
SHA512d22b23cc3e805e7e1aec5b0c4a1043697dec264a6555ddb25137bce984adb27ef76ebb5a86a8133b805d50bc84cbcfc82ae13f7a919886dee25914caa52125eb
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
/storage/emulated/0/Config/sys/apps/log/log-2023-11-21.txtFilesize
275B
MD552d673691e6d6b96fe890a2347ba9c93
SHA19c904a5d45f202ca6aa2d2a3b2fe59c0c1a0a061
SHA256e544b8d6b49b6231bc721531ba2cef94e5ce21510a1c149f1954d4465ac826e0
SHA51289fa74669c5b2836342b545f9f958d3066932f855cf76d92577e49189c35e3cd838ce64c6239b649a4b91b5fa7bffc9bda127b198cfea3b302b27398ac605c64