Resubmissions
11-02-2024 10:04
240211-l3z7ysha73 1011-02-2024 10:03
240211-l3mlvsfa51 1010-02-2024 22:02
240210-1xscgshb9s 10Analysis
-
max time kernel
13s -
max time network
22s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
11-02-2024 10:04
Behavioral task
behavioral1
Sample
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
Resource
android-x86-arm-20231215-en
General
-
Target
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742.apk
-
Size
1.5MB
-
MD5
dd7939e39f76083ba62bf11eda3fc815
-
SHA1
a9f3b9d47d7c7a3862fb824840ccaee64092c5d7
-
SHA256
17b37cf7db4b20774fce174e0ae6ed09f773d2a634ad3652dffdca7b59938742
-
SHA512
0026c2bab2a6acad3cc2508a36280222f6d4a106a7f329edc3fdc4af6eb2314b30df6f4da9e0eb49b033bacdd874df941a2bac01d8e1a9b66cfe190254cf7002
-
SSDEEP
24576:wAwcDF6sHhInia1amebYNp2k5WmD9idNpPaVL0aaDnG5Zy:acDFknia1aXetWk0d/PQLgn4Zy
Malware Config
Extracted
spynote
googlechrome.myftp.org:5214
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote payload 1 IoCs
Processes:
resource yara_rule /storage/emulated/0/null/base.apk family_spynote -
Tries to add a device administrator. 1 IoCs
Processes:
com.eset.ems2.gpdescription ioc process Intent action android.app.action.ADD_DEVICE_ADMIN com.eset.ems2.gp -
Declares broadcast receivers with permission to handle system events 1 IoCs
Processes:
description ioc Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN -
Declares services with permission to bind to the system 1 IoCs
Processes:
description ioc Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE -
Requests dangerous framework permissions 18 IoCs
Processes:
description ioc Required to be able to access the camera device. android.permission.CAMERA Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Required to be able to access the camera device. android.permission.CAMERA Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS Allows an application to read the user's contacts data. android.permission.READ_CONTACTS Allows an application to record audio. android.permission.RECORD_AUDIO Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to read the user's call log. android.permission.READ_CALL_LOG Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/storage/emulated/0/null/base.apkFilesize
279KB
MD5216f60d2ec8f76127546c636f3a1a965
SHA128df0e4d5ce775510570af08aa223d7b6123bd45
SHA256b7256bcec9ce286b2323dd723ef7326e0dd113e95e144907708df1730d6787e4
SHA512caa132dd027d16f3e950e28e84d461cac78e08d4c4b1510c8739b58eadbd7cf4b3728dd9f1901488a63a3db436acd07475d866e01d2f21a1a74f8ae3a1550b9a