Resubmissions
11-02-2024 10:04
240211-l3z7ysha73 1011-02-2024 10:03
240211-l3mlvsfa51 1010-02-2024 22:02
240210-1xscgshb9s 10Analysis
-
max time kernel
13s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
10-02-2024 22:02
Behavioral task
behavioral1
Sample
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
Resource
android-x64-20231215-en
Behavioral task
behavioral3
Sample
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
Resource
android-x64-arm64-20231215-en
General
-
Target
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
-
Size
1.5MB
-
MD5
dd7939e39f76083ba62bf11eda3fc815
-
SHA1
a9f3b9d47d7c7a3862fb824840ccaee64092c5d7
-
SHA256
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742
-
SHA512
0026c2bab2a6acad3cc2508a36280222f6d4a106a7f329edc3fdc4af6eb2314b30df6f4da9e0eb49b033bacdd874df941a2bac01d8e1a9b66cfe190254cf7002
-
SSDEEP
24576:wAwcDF6sHhInia1amebYNp2k5WmD9idNpPaVL0aaDnG5Zy:acDFknia1aXetWk0d/PQLgn4Zy
Malware Config
Extracted
spynote
googlechrome.myftp.org:5214
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote payload 1 IoCs
Processes:
resource yara_rule /storage/emulated/0/null/base.apk family_spynote -
Processes:
com.eset.ems2.gppid process 4255 com.eset.ems2.gp -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.eset.ems2.gpdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.eset.ems2.gp -
Tries to add a device administrator. 1 IoCs
Processes:
com.eset.ems2.gpdescription ioc process Intent action android.app.action.ADD_DEVICE_ADMIN com.eset.ems2.gp -
Declares broadcast receivers with permission to handle system events 1 IoCs
Processes:
description ioc Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN -
Declares services with permission to bind to the system 1 IoCs
Processes:
description ioc Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE -
Requests dangerous framework permissions 18 IoCs
Processes:
description ioc Required to be able to access the camera device. android.permission.CAMERA Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Required to be able to access the camera device. android.permission.CAMERA Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS Allows an application to read the user's contacts data. android.permission.READ_CONTACTS Allows an application to record audio. android.permission.RECORD_AUDIO Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to read the user's call log. android.permission.READ_CALL_LOG Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/storage/emulated/0/null/base.apkFilesize
760KB
MD528c40b4858d8e7bcb6b45d37a367efb1
SHA190905c21f613c46f52a33dd0d2c535a3113fd2cd
SHA2562281f9608537593a96dfd2df0102db13250ab5b59dbb273c612cffd340eb3d0c
SHA512929620b4c6088d7866b5cd6fab62a8d168a732b9582c111845a6d7211b9fb7b74d19c6fa91c2bc02ba1e6d345bacf7f4041697536470f19b7ec8e473c8d1f183