Overview

overview

10

Static

static

6

SNS_24.apk

android-13-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    228s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240229-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
  • submitted
    22-03-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SNS_24.apk

  • Size

    7.2MB

  • MD5

    da6f538294ce7f79e17acd65a8a2a0de

  • SHA1

    2ae33b52c49a819e3fa4875a6e2178d232d344fb

  • SHA256

    a79ebbd3eb73942b0e4c430f50b0dca4a30d51abffa4671b8baba1d1d2786a4e

  • SHA512

    6aa6cbdb1e8ab6204bef5a8ccfc85448d67d46dd1c7b3375f3c5b3c7010f4015db1e02b0c132d715319ec21344df24ca525a1086a637602cd640b6be39afe209

  • SSDEEP

    98304:eKefDhiwzjxcMlmzWTx0tfzBs01ev7UOkjYKJyQPsZxIlW+T8XU8DRQAiE8bTSlP:nefc8yMIz2OrAU9YAsZxcy6AiEF

Score
10/10
spynotebankercollectiondiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

spynote

C2

81.161.229.3:7771

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
    bankerdiscovery
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • bottom.laura.gravit
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4253

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.json
    Filesize

    3.1MB

    MD5

    6433afc5c442afe0ac08ec87c1ec24b1

    SHA1

    01412cabfb5e15d7cf125addbb2d0ef24a6e34d4

    SHA256

    0299897642e376c24bafdf6ed4a0f735b3b69af6e3c8e157611f206d01d11cf0

    SHA512

    8a0d5e690bbaba2c73916091a9f69ab6135a8cc8226e8165b6b1e10574672bab964398efd159f199e3fd84bdb05b1b5c624374c10a73f24e19e4275c503869d7

    Download Submit
  • /data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.json
    Filesize

    3.1MB

    MD5

    378972897c38b75b54e74f49ac4d1e61

    SHA1

    6442d6a9a3a1a363e155f78b8987e4b049bca0a8

    SHA256

    6f1072ff85569353b97010ff3f14ba62dde74c43c8aef82e631ca0e5795c151a

    SHA512

    ca84c6c969a56ff5108829a7244ef8a5ade37b9348321c7b129bf51ad6987c24b01d18750f9d8dffa3d89d5612dcb52f6db439d90b06ca56ede05a80340b0d02

    Download Submit
  • /data/user/0/bottom.laura.gravit/app_DynamicOptDex/Bdc.json
    Filesize

    6.7MB

    MD5

    4849ef3d3a8baaf2876ed9556cc8a32d

    SHA1

    5d7e4266d0dd9d4544f933a37b6541b686d06578

    SHA256

    5e8517b64d010c766d00f110c585f23ac5e4bc1336c64bd67003a1a8ddc2d0d3

    SHA512

    888742fc68c5be2b095e356a71ae624c79062cfe664f5236a20dc73149724a7d17f9297d6998ce2a078bfbeb1be98bdc1a4a4765989f63078c5f393293561a76

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txt
    Filesize

    25B

    MD5

    fd8ed43ac31bbf329c395582c15753cd

    SHA1

    3c76ee3fa79dde645c0447d6b23d6f435efb3b72

    SHA256

    049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf

    SHA512

    77bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-03-22.txt
    Filesize

    41B

    MD5

    73ca8d6af8fdcb567754847440dbfa88

    SHA1

    b1472b764ff81d8165ddfd2958a67aa0d4abddf4

    SHA256

    2296954497d649bc19a7b3213d05d51fc1a68ff71e7de01a7edd56ca0828f14d

    SHA512

    7fb52bb85e0e34f6a3ba928d5e88c2f004344bbd6ae3c163088e6aaaa59b5ce60484c78f93c10deabc6051323f7bbc0c87983ad260ebcb03cc42e49dc7b0019f

    Download Submit