spynote | 107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38

Analysis

max time kernel
3s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
17-05-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

660159f431b5f8ec8c4fed0298168d1a.apk
Size

663KB
MD5

660159f431b5f8ec8c4fed0298168d1a
SHA1

d738fd0844dcfa47ebdf53d835ab130f2132a6c2
SHA256

107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38
SHA512

26514f82078177e0d7e5c42c71af832494913eb68dce7f6107b1f468a43c37b98b1007ad46ee18bf3e24f147f2025f3ec1e9bb26c48f2a69ff07ff02355f39e3
SSDEEP

12288:TKdla+OAnycLhuDoQ/GbJ7VKQZFM/2tvPiGrZ:4N9nTOoQ/G97VKQZrHiG

Score

10^/10

spynote banker discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote

Spynote payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex	family_spynote

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

GOOD.BYE.GOOGLE

ioc	pid	process
/data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex	4627	GOOD.BYE.GOOGLE
/data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex	4627	GOOD.BYE.GOOGLE

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

GOOD.BYE.GOOGLE

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground GOOD.BYE.GOOGLE

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	GOOD.BYE.GOOGLE

Requests dangerous framework permissions 4 IoCs

Processes:

description	ioc
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION
Required to be able to access the camera device.	android.permission.CAMERA
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE

GOOD.BYE.GOOGLE
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
PID:4627

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex

Filesize
572KB

MD5
4565def4512efe74e999abf013c91b2d

SHA1
e5cfc824020ce194e3c5e323cfeaf24caaf30ad6

SHA256
bcab89c43b0252d44a028c4fa46702c401663d70cf445d0b46c5e68ae3980b27

SHA512
7bea9f690e00b8bcecded81a8e48e869328ffb9f04796a99f4aa689f7e45433399d5ba3b748ba69f3303745a028ff78f42359bb475345240496af99e7f552425

Download Submit
/storage/emulated/0/Android sIwI Tester/base.apk

Filesize
75KB

MD5
a1a86552141bda3b9713014780192a11

SHA1
134b53eb8b772f752ae4019b5f9b660c780e7773

SHA256
a16ff645695e230b9188b80829c021c44d2a80a2bb904dac2f6e96d981943502

SHA512
deb8b634f3724d52edf65875ab5e11c01b1406a684d9b57e87de11b0918f78a17fcde0a9dcfc4b08709ebc3851327670bf792fefae523cd972c5fc7318aa54c2

Download Submit