spynote | 397d80e7f2c85b8921150d568c32deb43a157944cb993225e9907452179893b3

Analysis

max time kernel
3339611s
max time network
174s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
01-01-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

397d80e7f2c85b8921150d568c32deb43a157944cb993225e9907452179893b3.apk
Size

3.0MB
MD5

bc9a4b7c49f7a2843bb7c63eadf0721d
SHA1

837f19d9f53e46a33f09d4ad26ba57a024818d8b
SHA256

397d80e7f2c85b8921150d568c32deb43a157944cb993225e9907452179893b3
SHA512

dd38c1efd759354acdbe60b7fb3cfbf57ff1af7bfb7855f718741b4cce124d946c7bf05977112e05bbb9c29787fb00a0713fb7132b2d46c94c995ac838033446
SSDEEP

49152:nDSSKOp7JsQ+52g8VxxR1c7W/kQS3jphfaIEwTxvJaw2SR9GBRUES787cGBJmlE7:OIJab6hP/+phCzijpGBRUESYwGBUlEWc

Score

10^/10

spynote banker evasion infostealer rat trojan

Malware Config

Extracted

Family

spynote

165.227.31.192:22813

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.khelo.winindia

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.khelo.winindia
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.khelo.winindia
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.khelo.winindia

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
banker

Processes:

com.khelo.winindia

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.khelo.winindia

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.khelo.winindia

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.khelo.winindia

ioc	pid	process
/data/user/0/com.khelo.winindia/app_ded/qKbhJ7S0I64cpajOfaxgm8pBsW7UtAe0.dex	4632	com.khelo.winindia
/data/user/0/com.khelo.winindia/app_ded/qKbhJ7S0I64cpajOfaxgm8pBsW7UtAe0.dex	4632	com.khelo.winindia
/data/user/0/com.khelo.winindia/app_mph_dex/apk.manager-v1.rizal.xml	4632	com.khelo.winindia
/data/user/0/com.khelo.winindia/app_mph_dex/apk.manager-v1.rizal.xml	4632	com.khelo.winindia

Acquires the wake lock 1 IoCs

Processes:

com.khelo.winindia

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.khelo.winindia
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.khelo.winindia

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.khelo.winindia
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.khelo.winindia

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.khelo.winindia

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.khelo.winindia

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.khelo.winindia

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.khelo.winindia

com.khelo.winindia
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.khelo.winindia/app_ded/qKbhJ7S0I64cpajOfaxgm8pBsW7UtAe0.dex
Filesize
94KB

MD5
c2665ded30fa9868af79db59a02a929e

SHA1
00286694f32ec4cbfbc1bc7bfff05cd32a451724

SHA256
40f7b37fac44b58fb938deae5c562f6e80988d8dbdd53afa8877ec61799ea678

SHA512
722a9183b3a860d35538a6a78ece43ca72c00d69eaddfbcbbf45bb98b79a7010c27c95807381ef410c6c73e1471780b59c10623a3a371ac5e9ebd1e10a72da71

Download Submit
/data/user/0/com.khelo.winindia/app_mph_dex/apk.manager-v1.rizal.xml
Filesize
465KB

MD5
4377f21ca5cc71ac1312c6f95518e7f1

SHA1
a86331185368ba3476673b03e07dfa39009f2380

SHA256
834e0d3427689c5081ba83f3f1949c0a9e2c124a04e3175be21b1d44574d31a7

SHA512
f3b980979fce5d153b2a09908623d92733911d033719288478be5044b744e0aeeb30db7a90322877b504a9dc5d7a119fb2b2b84fd921b5a5056ed815718e599f

Download Submit
/data/user/0/com.khelo.winindia/app_mph_dex/apk.manager-v1.rizal.xml
Filesize
3.3MB

MD5
94795eebe4f464938e05f7e6404b1df5

SHA1
da3d29d455fbb6f204ba5922c9b91f60dd0121da

SHA256
a3dc502fef3b9b5146066f258ef67c7111e063cf889e3af0496d3623a373fbbb

SHA512
b305d0864b7e3061840dd85e7f0b505427ec0719b2dca3703bf266132a908f1db46d1235e8f1547fb5e2e96266eeecf10f25b0dfe0e6cb1da6b25389400d252a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-01-01.txt
Filesize
280B

MD5
8f998a2fade8a6e4c1df7753641bbffd

SHA1
0e5941c5716d62aef43269bececd28faca157d99

SHA256
a40d1d01bd481827d3804cd1a62f013d24aeb259616372393ff83750c3947b63

SHA512
f2590b615746ed2c9bb53de60332046d147e065b61d1c853654ca87b767a0cdc3a0057452741a8964b65d53bdad5b6aa3e30948686766e61d82dd27cd6b25a86

Download Submit