Overview

overview

10

Static

static

6

upgrade.apk

android-9-x86

7

upgrade.apk

android-10-x64

7

upgrade.apk

android-11-x64

7

childapp.apk

android-9-x86

10

childapp.apk

android-10-x64

10

childapp.apk

android-11-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    188s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    21-05-2024 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    childapp.apk

  • Size

    3.1MB

  • MD5

    2b499c1a64c45ce2959eb18fe64b2a6c

  • SHA1

    0466e8938274b0c7c20c10c462452f6669dbd559

  • SHA256

    38f104e1ebe425c3c3d00fc4e7d0e516173cf3ffb0774031514fc1b8ed6f212d

  • SHA512

    c80c58bbb68e65694e45a7914b2f7687eb91c58a9f0bcaffc1eaeda4c358fe82e7201d11178b27da17df63d83c72e41faed08439690de256f2533e0e4702a6c8

  • SSDEEP

    49152:EqjG1eSMlFIOW2B/pQYqjA8gAI0O2Aw/moHNebj+V+iKZtl8cPBuI3FS:EqCzMk2tq2307jebDiK3l8ML4

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

chutiyahaitu.duckdns.org:chutiyahaitu.duckdns.org:8080:8080

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.appser.verapp
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4319
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.appser.verapp/app_ded/oat/x86/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4344

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex
    Filesize

    1014KB

    MD5

    2e79475388ed68de19874e8642e2e889

    SHA1

    073bc6e1e797fda6bf7ba0cb214784449d628016

    SHA256

    e10fc5943cb761acee08addfc1fa8f0a2124b04013462a1a8705cda66fded91f

    SHA512

    30381f7bab66304387612cb599f8d78cd43af180efe879485f2607f238740724ea6e884ba5f277730e8920378c8e8d9f8cd208f1c74840231a5a9caaf8dea430

    Download Submit
  • /data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex
    Filesize

    1014KB

    MD5

    c4af6838e919222677276875c4fa4467

    SHA1

    75aa2fe79992290a060b5211db3024eb0cc119ac

    SHA256

    364fce5aefe1be918349973bc68d61f69b9b4ed907e99bd666908b4a2c89348b

    SHA512

    833eb2f98572616bb9162da44c0266b965c0145ac97418d76426d52564da5338e6aa014f60458084ab4a81beda71284ea32eda11a8cacda7d36c4a88a2abbe1a

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    52B

    MD5

    672fb66d48cbf8e9ba20841df68e5a7a

    SHA1

    867e0e7181d23b849a4186b0ed1c89268040934c

    SHA256

    d492658e77fa94e642d051f1326ebab86225c71eaa8f4b3dc124a19333114c4e

    SHA512

    323cadd8d3c48a924c3b51a98b37af1b53d5d00de0970d69cd1281bbc192a37f05142bbbf56dacef57401754332bf694110097eaffee66d1b33a19f2e8499888

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    283B

    MD5

    dcb51bd6d92d46e2a48946b546146ce0

    SHA1

    159e22c4f3a02e09e971d6e52b436636a68ebe6f

    SHA256

    c4ff2b567bfe390abac04b899e15bd35a531c82ba1417f768679faf8d0de7490

    SHA512

    0111b024d94d5ad88d87a7a56a5480818423b463f7cce5be28b926ff5dbf076fc612334506b2035bf8b602edff953b584a31fd17e82f2582d97324f019c354b7

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    28B

    MD5

    d2b49bb9a8a1e20f18508e760b47811d

    SHA1

    e7c6a4de64f8a00ddc43c52edcb3a7d1bd5fe802

    SHA256

    5105c68bc744dce2b52b19d8b7ef6b9798d5dc786a2c65750b8eabcf0d508e49

    SHA512

    dd6cbce6e9dc9848c72181afbb7d0a6135c47bb1f1c4217cd29ec4603048622b2e30fb171a0be8ce09ae31db61503b5695abd6e5a1eaca34e4d0ae8a528996c2

    Download Submit