Analysis
-
max time kernel
4s -
max time network
184s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
17-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
48dae89653161e7c3e4829d5451702dc.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
48dae89653161e7c3e4829d5451702dc.apk
Resource
android-x64-20240514-en
General
-
Target
48dae89653161e7c3e4829d5451702dc.apk
-
Size
3.0MB
-
MD5
48dae89653161e7c3e4829d5451702dc
-
SHA1
213b7f8c3f26a87b116927143289886742b979a1
-
SHA256
78e669d3b20e5f1f33985f7228bf6a9410f61cb949fc0e9df5379537d54f981c
-
SHA512
a07bc275d1e2cbc9da8ee789f4bec25e6846a8d0acab7479953fc45589165ba694e89de38241a0f8ecabe962f75d589ac4eae16e9d20d4539da6ffb46640189a
-
SSDEEP
49152:ok/FTOoQl1Wc3kQdaWWce2Te6ECrYvEVZNap5HbGO0wnREZvDv:oOFSHz3kQAW3fTdEpMnsPbN9RO
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote payload 1 IoCs
Processes:
resource yara_rule /data/data/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex family_spynote -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
GOOD.BYE.GOOGLEioc pid process /data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex 5116 GOOD.BYE.GOOGLE /data/user/0/GOOD.BYE.GOOGLE/app_mph_dex/classes.dex 5116 GOOD.BYE.GOOGLE -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
GOOD.BYE.GOOGLEdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground GOOD.BYE.GOOGLE -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
GOOD.BYE.GOOGLEdescription ioc process Framework service call android.app.IActivityManager.registerReceiver GOOD.BYE.GOOGLE -
Requests dangerous framework permissions 2 IoCs
Processes:
description ioc Required to be able to access the camera device. android.permission.CAMERA Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
GOOD.BYE.GOOGLEdescription ioc process Framework API call javax.crypto.Cipher.doFinal GOOD.BYE.GOOGLE
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/GOOD.BYE.GOOGLE/app_mph_dex/classes.dexFilesize
572KB
MD54565def4512efe74e999abf013c91b2d
SHA1e5cfc824020ce194e3c5e323cfeaf24caaf30ad6
SHA256bcab89c43b0252d44a028c4fa46702c401663d70cf445d0b46c5e68ae3980b27
SHA5127bea9f690e00b8bcecded81a8e48e869328ffb9f04796a99f4aa689f7e45433399d5ba3b748ba69f3303745a028ff78f42359bb475345240496af99e7f552425
-
/storage/emulated/0/Android Covid/base.apkFilesize
2.6MB
MD59f9098cd949fc90785c3fe1afccdca3e
SHA1c28083fd26c3067f1c29755f450dcba077212533
SHA256e441af83f445a1af90e738e4ad2ba5285304a3e9a2031013b887948dab4ffafd
SHA51226ed74d1f0089133c082ccee2ce02c799b0342aaceadfd5223bb4135cb980eb743797bf5e64b4ec97f7a68cbac58c192027dcb05a029b064dbb5aaf26654432d