spynote | 56206203f6381b1274c921c4eb5577e6f96350796a8325be8f29d4d23a682c17

Analysis

max time kernel
150s
max time network
143s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
06-02-2024 07:18

Target

9421c0e77b615203055f42727833e6de.apk
Size

827KB
MD5

9421c0e77b615203055f42727833e6de
SHA1

33e0f3dc0684be68d32384448beb8059a344be15
SHA256

56206203f6381b1274c921c4eb5577e6f96350796a8325be8f29d4d23a682c17
SHA512

12735d66572b8405db11d3d25f08d4bc41f4783761eb67205506664eaaafb69f65466b3dcce238057ffb8831e5ec88b9509076341dadfec6286cab9c6802fee2
SSDEEP

12288:fubh9rIjqnh7bxLwl6He1DdvPazc+V1CMFspK7lsF6A4R6nWL2XEKs4W+fvVGfy4:fq9rImh7CsEDdqzqMFz86ACkSGVfRz8

Score

10^/10

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote

Spynote payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.android.tester/app_ded/0ZBW9BvZH2faHgVmWrecjZL1lY1W0NQY.dex	family_spynote

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
banker

Processes:

com.android.tester

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.android.tester

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.android.tester

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.android.tester

ioc	pid	process
/data/user/0/com.android.tester/app_ded/0ZBW9BvZH2faHgVmWrecjZL1lY1W0NQY.dex	4523	com.android.tester
/data/user/0/com.android.tester/app_ded/0ZBW9BvZH2faHgVmWrecjZL1lY1W0NQY.dex	4523	com.android.tester

Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.android.tester

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.android.tester
Tries to add a device administrator. 1 IoCs

Processes:

com.android.tester

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN com.android.tester
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.android.tester

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.android.tester

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.android.tester

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	com.android.tester

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.android.tester

/data/user/0/com.android.tester/app_ded/0ZBW9BvZH2faHgVmWrecjZL1lY1W0NQY.dex
Filesize
572KB

MD5
4565def4512efe74e999abf013c91b2d

SHA1
e5cfc824020ce194e3c5e323cfeaf24caaf30ad6

SHA256
bcab89c43b0252d44a028c4fa46702c401663d70cf445d0b46c5e68ae3980b27

SHA512
7bea9f690e00b8bcecded81a8e48e869328ffb9f04796a99f4aa689f7e45433399d5ba3b748ba69f3303745a028ff78f42359bb475345240496af99e7f552425

Download Submit