spynote | af30de5783f3e57878e5188ebc70cf3fb1457f1f17150a7614e4688df2b1d5f4

Analysis

max time kernel
2519122s
max time network
150s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af30de5783f3e57878e5188ebc70cf3fb1457f1f17150a7614e4688df2b1d5f4.apk
Size

668KB
MD5

4a5047bcc3eb02571dc503dc914598eb
SHA1

d14c09ba569c5ae8288c17e9699a2da25df8248c
SHA256

af30de5783f3e57878e5188ebc70cf3fb1457f1f17150a7614e4688df2b1d5f4
SHA512

89701172320395ed35b61d4ce5bd98e37371c6ced665d2930c547a21804a07401e081a0a787fc024640d3f6f8253cb81a115919ab248d7e781882930d98fa768
SSDEEP

12288:XdjSML/KAFi95Ndf3lvqD4kwW8g6Ey5oTjG30gbB0M2j:wMjpijNF3Kf8ghNjG3z0M2j

Score

10^/10

spynote banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

spynote

188.121.120.42:7771

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

splash.alfnet.googlsrvap

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	splash.alfnet.googlsrvap
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	splash.alfnet.googlsrvap

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

splash.alfnet.googlsrvap

pid process

4637 splash.alfnet.googlsrvap

pid	process
4637	splash.alfnet.googlsrvap

Loads dropped Dex/Jar 8 IoCs

Runs executable file dropped to the device during analysis.

Processes:

splash.alfnet.googlsrvap

ioc	pid	process
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v1.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v1.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v2.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v2.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v3.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v3.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v4.bin	4637	splash.alfnet.googlsrvap
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v4.bin	4637	splash.alfnet.googlsrvap

Requests enabling of the accessibility settings. 1 IoCs

Processes:

splash.alfnet.googlsrvap

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS splash.alfnet.googlsrvap
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

splash.alfnet.googlsrvap

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS splash.alfnet.googlsrvap

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	splash.alfnet.googlsrvap

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	splash.alfnet.googlsrvap

splash.alfnet.googlsrvap
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4637

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v1.bin
Filesize
32KB

MD5
e89daf9a55177e55b467e6477587317b

SHA1
9d20ca4fd600537cc3cacbd91dfaa531df5cdd8e

SHA256
5e08ca809fbe7cc25571441cbf865e2e99cca849fbefecbbae0124fee76c92b7

SHA512
3c1e56bad639847a8aef38d968cee30356327da8c210d10a21887f21a55e85ee89bdc60c0227e0eaedf36921a754eb44e2ea654af16c74f8cbe6efa544a587e9

Download Submit
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v1.bin
Filesize
924KB

MD5
592a83717950a98c5ac53c30ca3291cd

SHA1
3b1f803aa1b4e1efbdea211f1d79402f5607298f

SHA256
0ac18fc0f6139d3f244dd962284a4e75edf53c7a15112a37dca629437029d9a9

SHA512
43f80192ccf82f3db8feedce5c5e951a4c3a646331a4119b3008088c050a72d91d9dd37014e1d6ef4b4b3d3679d918ea43ba80f33b878d237464ab9d8033babe

Download Submit
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v2.bin
Filesize
6KB

MD5
659205c83a0b402f19be7890cf31a2db

SHA1
20fd7a2374077f96ceab8a865f6336c104d59bfc

SHA256
bc7732033dbe82fdcd9175baa345becac4dd10189c2d3367b178f180c9255b3b

SHA512
7b7415d2c493b3690ded4badca84d58cfc68df140b255c9b3cf10aad6ee47c792e6654332cab81c9d00c6bfb7f56a0da2b1765caf679c1fbce814626c3cd38c0

Download Submit
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v3.bin
Filesize
3KB

MD5
0b7e5edd99ab8cadbe8f45f8511af144

SHA1
49a0045d3f1e01f0261f32c1f44e90595e1fa1cf

SHA256
79a5e1b9732be5eb44155fbcdf7e23d13332675910ad12cdf704092efa1dcf5d

SHA512
17b2547593b348f706436041b0715e156dfcf2ac91b0a13f67357d9b25a2f8f635f2383e4784d4662e9d4a3c37a474f25972181542dae6d69d8cbce3500b3a04

Download Submit
/data/user/0/splash.alfnet.googlsrvap/app_apkprotector_dex/classes-v4.bin
Filesize
9KB

MD5
96959fe11dc379c3dd3fc9222976ecd0

SHA1
17979239e7e5f22152b09dd2366d160682a70d52

SHA256
dee43d5f7c58340aab23d4b8eafeec33ed1ab2f1676b5fd957d532b223bc6af6

SHA512
9737210a4fb5f1ad1d60908b5fd34ff60e7ef02c63fc846b5f754fb0b6846408f5d39a610650fe6b43d394c698c13e22dad05a81ca90df4dff0debd4702bdcf9

Download Submit