Analysis
-
max time kernel
124s -
max time network
228s -
platform
android_x64 -
resource
android-33-x64-arm64-20240229-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system -
submitted
22-03-2024 17:58
Static task
static1
Behavioral task
behavioral1
Sample
SNS_24.apk
Resource
android-33-x64-arm64-20240229-en
General
-
Target
SNS_24.apk
-
Size
7.2MB
-
MD5
da6f538294ce7f79e17acd65a8a2a0de
-
SHA1
2ae33b52c49a819e3fa4875a6e2178d232d344fb
-
SHA256
a79ebbd3eb73942b0e4c430f50b0dca4a30d51abffa4671b8baba1d1d2786a4e
-
SHA512
6aa6cbdb1e8ab6204bef5a8ccfc85448d67d46dd1c7b3375f3c5b3c7010f4015db1e02b0c132d715319ec21344df24ca525a1086a637602cd640b6be39afe209
-
SSDEEP
98304:eKefDhiwzjxcMlmzWTx0tfzBs01ev7UOkjYKJyQPsZxIlW+T8XU8DRQAiE8bTSlP:nefc8yMIz2OrAU9YAsZxcy6AiEF
Malware Config
Extracted
spynote
81.161.229.3:7771
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Makes use of the framework's Accessibility service 2 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
bottom.laura.gravitdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId bottom.laura.gravit Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText bottom.laura.gravit Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId bottom.laura.gravit -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
Processes:
bottom.laura.gravitdescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications bottom.laura.gravit -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
bottom.laura.gravitioc pid process /data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.json 4253 bottom.laura.gravit -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
bottom.laura.gravitdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground bottom.laura.gravit -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
bottom.laura.gravitdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS bottom.laura.gravit -
Acquires the wake lock 1 IoCs
Processes:
bottom.laura.gravitdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock bottom.laura.gravit -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
bottom.laura.gravitdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS bottom.laura.gravit
Processes
-
bottom.laura.gravit1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.jsonFilesize
3.1MB
MD56433afc5c442afe0ac08ec87c1ec24b1
SHA101412cabfb5e15d7cf125addbb2d0ef24a6e34d4
SHA2560299897642e376c24bafdf6ed4a0f735b3b69af6e3c8e157611f206d01d11cf0
SHA5128a0d5e690bbaba2c73916091a9f69ab6135a8cc8226e8165b6b1e10574672bab964398efd159f199e3fd84bdb05b1b5c624374c10a73f24e19e4275c503869d7
-
/data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.jsonFilesize
3.1MB
MD5378972897c38b75b54e74f49ac4d1e61
SHA16442d6a9a3a1a363e155f78b8987e4b049bca0a8
SHA2566f1072ff85569353b97010ff3f14ba62dde74c43c8aef82e631ca0e5795c151a
SHA512ca84c6c969a56ff5108829a7244ef8a5ade37b9348321c7b129bf51ad6987c24b01d18750f9d8dffa3d89d5612dcb52f6db439d90b06ca56ede05a80340b0d02
-
/data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.jsonFilesize
6.7MB
MD54849ef3d3a8baaf2876ed9556cc8a32d
SHA15d7e4266d0dd9d4544f933a37b6541b686d06578
SHA2565e8517b64d010c766d00f110c585f23ac5e4bc1336c64bd67003a1a8ddc2d0d3
SHA512888742fc68c5be2b095e356a71ae624c79062cfe664f5236a20dc73149724a7d17f9297d6998ce2a078bfbeb1be98bdc1a4a4765989f63078c5f393293561a76
-
/storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txtFilesize
25B
MD5fd8ed43ac31bbf329c395582c15753cd
SHA13c76ee3fa79dde645c0447d6b23d6f435efb3b72
SHA256049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf
SHA51277bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37
-
/storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txtFilesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
/storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txtFilesize
41B
MD573ca8d6af8fdcb567754847440dbfa88
SHA1b1472b764ff81d8165ddfd2958a67aa0d4abddf4
SHA2562296954497d649bc19a7b3213d05d51fc1a68ff71e7de01a7edd56ca0828f14d
SHA5127fb52bb85e0e34f6a3ba928d5e88c2f004344bbd6ae3c163088e6aaaa59b5ce60484c78f93c10deabc6051323f7bbc0c87983ad260ebcb03cc42e49dc7b0019f