spynote | 17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742

Resubmissions

11-02-2024 10:04

240211-l3z7ysha73 10

11-02-2024 10:03

240211-l3mlvsfa51 10

10-02-2024 22:02

240210-1xscgshb9s 10

Analysis

max time kernel
13s
max time network
157s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
10-02-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
Size

1.5MB
MD5

dd7939e39f76083ba62bf11eda3fc815
SHA1

a9f3b9d47d7c7a3862fb824840ccaee64092c5d7
SHA256

17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742
SHA512

0026c2bab2a6acad3cc2508a36280222f6d4a106a7f329edc3fdc4af6eb2314b30df6f4da9e0eb49b033bacdd874df941a2bac01d8e1a9b66cfe190254cf7002
SSDEEP

24576:wAwcDF6sHhInia1amebYNp2k5WmD9idNpPaVL0aaDnG5Zy:acDFknia1aXetWk0d/PQLgn4Zy

Score

10^/10

spynote banker infostealer rat stealth trojan

Malware Config

Extracted

Family

spynote

googlechrome.myftp.org:5214

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote

Spynote payload 1 IoCs

Processes:

resource	yara_rule
/storage/emulated/0/null/base.apk	family_spynote

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.eset.ems2.gp

pid process

4255 com.eset.ems2.gp
Requests enabling of the accessibility settings. 1 IoCs

Processes:

com.eset.ems2.gp

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS com.eset.ems2.gp
Tries to add a device administrator. 1 IoCs

Processes:

com.eset.ems2.gp

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN com.eset.ems2.gp

pid	process
4255	com.eset.ems2.gp

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.eset.ems2.gp

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	com.eset.ems2.gp

Declares broadcast receivers with permission to handle system events 1 IoCs

Processes:

description	ioc
Required by device admin receivers to bind with the system. Allows apps to manage device administration features.	android.permission.BIND_DEVICE_ADMIN

Declares services with permission to bind to the system 1 IoCs

Processes:

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE

Requests dangerous framework permissions 18 IoCs

Processes:

description	ioc
Required to be able to access the camera device.	android.permission.CAMERA
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write and read the user's call log data.	android.permission.WRITE_CALL_LOG
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Required to be able to access the camera device.	android.permission.CAMERA
Allows access to the list of accounts in the Accounts Service.	android.permission.GET_ACCOUNTS
Allows an application to write the user's contacts data.	android.permission.WRITE_CONTACTS
Allows an application to read the user's contacts data.	android.permission.READ_CONTACTS
Allows an application to record audio.	android.permission.RECORD_AUDIO
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to read the user's call log.	android.permission.READ_CALL_LOG
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.	android.permission.CALL_PHONE
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether.	android.permission.PROCESS_OUTGOING_CALLS

com.eset.ems2.gp
1⤵
- Removes its main activity from the application launcher
- Requests enabling of the accessibility settings.
- Tries to add a device administrator.
PID:4255

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/null/base.apk
Filesize
760KB

MD5
28c40b4858d8e7bcb6b45d37a367efb1

SHA1
90905c21f613c46f52a33dd0d2c535a3113fd2cd

SHA256
2281f9608537593a96dfd2df0102db13250ab5b59dbb273c612cffd340eb3d0c

SHA512
929620b4c6088d7866b5cd6fab62a8d168a732b9582c111845a6d7211b9fb7b74d19c6fa91c2bc02ba1e6d345bacf7f4041697536470f19b7ec8e473c8d1f183

Download Submit