Analysis
-
max time kernel
175s -
max time network
139s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
20-05-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
005d36928b02814f6c3fb040a114a666e2aa2b976ea3c3af8a245ee41179b9fe.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral2
Sample
005d36928b02814f6c3fb040a114a666e2aa2b976ea3c3af8a245ee41179b9fe.apk
Resource
android-x86-arm-20240514-en
General
-
Target
005d36928b02814f6c3fb040a114a666e2aa2b976ea3c3af8a245ee41179b9fe.apk
-
Size
1.2MB
-
MD5
00f5261cdc54cf4bbd5bafe5be01ec6f
-
SHA1
28b348b5950299a50ad611388672b2b4e4e8a7c0
-
SHA256
005d36928b02814f6c3fb040a114a666e2aa2b976ea3c3af8a245ee41179b9fe
-
SHA512
b79b809236fb8e31ab177245d8f8f43aaccdfebb7d1219eca1c1515908500f8bd858c11c7683f993dd1e6cf37cab38bdaf11d66f802db4caa701998981986672
-
SSDEEP
24576:WXrV0d5h6G4svi6q7+vwSTE1sNSFE/md/DqS0+XaLmjRvqgJPWI0a:WZ0N6VsxqqHE1s8FhqDjLGRvqgJPt
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote payload 1 IoCs
Processes:
resource yara_rule /data/data/cmf0.c3b5bm90zq.patch/app_apkprotect_dex/apkprotect-v1.bin family_spynote -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
cmf0.c3b5bm90zq.patchioc pid process /data/user/0/cmf0.c3b5bm90zq.patch/app_apkprotect_dex/apkprotect-v1.bin 5103 cmf0.c3b5bm90zq.patch /data/user/0/cmf0.c3b5bm90zq.patch/app_apkprotect_dex/apkprotect-v1.bin 5103 cmf0.c3b5bm90zq.patch -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
cmf0.c3b5bm90zq.patchdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground cmf0.c3b5bm90zq.patch -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
cmf0.c3b5bm90zq.patchdescription ioc process Framework service call android.app.IActivityManager.registerReceiver cmf0.c3b5bm90zq.patch
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/cmf0.c3b5bm90zq.patch/app_apkprotect_dex/apkprotect-v1.binFilesize
572KB
MD54649857fa6b59ae9ee74fbeef81c5ff7
SHA1d2e041b6f630ec28a3d384f42abd3aecc70afd9e
SHA25611911c2e1baaab2fbc457932fa85ba68d2b6fa66c42a64fe8254923fe35637b9
SHA51258117953b70708c9f7130e1c5173c9fa4c8e7b12ac8cee0a1504e0bccd6011c0cc837422d24d8ae92beebe2f2de4f6479adfb47db90c8356c8147b1d99324d61