General

  • Target

    upgrade.apk

  • Size

    8.6MB

  • Sample

    240521-f4h26sbd32

  • MD5

    879341f5413a5c3b7c2ae9cb1dcfd63a

  • SHA1

    09115e34bb0bfe8d649237993f995c5161363c54

  • SHA256

    3cff417e481167c5065842c64f44b070538d993381d8cee8313ad1fd211e8999

  • SHA512

    05ac12cdc81561107a90029eb83a6fbf249ea67beb4c8a282b71046c0438a37e6dfe34d0e95d49e738eb63812631af0a833c6ddecf489eaf407eab749b2c75c9

  • SSDEEP

    196608:/J1eEIs5uMib8n0QKpVHlEmshxNJgYpnnrEjc02:B0Ed5MHmmsZu4nnwI02

Malware Config

Extracted

Family

spynote

C2

chutiyahaitu.duckdns.org:chutiyahaitu.duckdns.org:8080:8080

Targets

    • Target

      upgrade.apk

    • Size

      8.6MB

    • MD5

      879341f5413a5c3b7c2ae9cb1dcfd63a

    • SHA1

      09115e34bb0bfe8d649237993f995c5161363c54

    • SHA256

      3cff417e481167c5065842c64f44b070538d993381d8cee8313ad1fd211e8999

    • SHA512

      05ac12cdc81561107a90029eb83a6fbf249ea67beb4c8a282b71046c0438a37e6dfe34d0e95d49e738eb63812631af0a833c6ddecf489eaf407eab749b2c75c9

    • SSDEEP

      196608:/J1eEIs5uMib8n0QKpVHlEmshxNJgYpnnrEjc02:B0Ed5MHmmsZu4nnwI02

    Score
    7/10
    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Target

      childapp.apk

    • Size

      3.1MB

    • MD5

      2b499c1a64c45ce2959eb18fe64b2a6c

    • SHA1

      0466e8938274b0c7c20c10c462452f6669dbd559

    • SHA256

      38f104e1ebe425c3c3d00fc4e7d0e516173cf3ffb0774031514fc1b8ed6f212d

    • SHA512

      c80c58bbb68e65694e45a7914b2f7687eb91c58a9f0bcaffc1eaeda4c358fe82e7201d11178b27da17df63d83c72e41faed08439690de256f2533e0e4702a6c8

    • SSDEEP

      49152:EqjG1eSMlFIOW2B/pQYqjA8gAI0O2Aw/moHNebj+V+iKZtl8cPBuI3FS:EqCzMk2tq2307jebDiK3l8ML4

    • Spynote

      Spynote is a Remote Access Trojan first seen in 2017.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Removes its main activity from the application launcher

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries the mobile country code (MCC)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Schedules tasks to execute at a specified time

      Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

MITRE ATT&CK Matrix

Tasks