Analysis
-
max time kernel
24s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21-05-2024 05:25
Static task
static1
Behavioral task
behavioral1
Sample
upgrade.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
upgrade.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
upgrade.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral4
Sample
childapp.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral5
Sample
childapp.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral6
Sample
childapp.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
childapp.apk
-
Size
3.1MB
-
MD5
2b499c1a64c45ce2959eb18fe64b2a6c
-
SHA1
0466e8938274b0c7c20c10c462452f6669dbd559
-
SHA256
38f104e1ebe425c3c3d00fc4e7d0e516173cf3ffb0774031514fc1b8ed6f212d
-
SHA512
c80c58bbb68e65694e45a7914b2f7687eb91c58a9f0bcaffc1eaeda4c358fe82e7201d11178b27da17df63d83c72e41faed08439690de256f2533e0e4702a6c8
-
SSDEEP
49152:EqjG1eSMlFIOW2B/pQYqjA8gAI0O2Aw/moHNebj+V+iKZtl8cPBuI3FS:EqCzMk2tq2307jebDiK3l8ML4
Malware Config
Extracted
spynote
chutiyahaitu.duckdns.org:chutiyahaitu.duckdns.org:8080:8080
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.appser.verappdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.appser.verapp Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.appser.verapp -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.appser.verappdescription ioc process File opened for read /proc/cpuinfo com.appser.verapp -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.appser.verappdescription ioc process File opened for read /proc/meminfo com.appser.verapp -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.appser.verapp/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.appser.verapp/app_ded/oat/x86/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex 4319 com.appser.verapp /data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex 4344 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.appser.verapp/app_ded/oat/x86/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex 4319 com.appser.verapp -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.appser.verappdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.appser.verapp -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.appser.verappdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.appser.verapp -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.appser.verappdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.appser.verapp -
Acquires the wake lock 1 IoCs
Processes:
com.appser.verappdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.appser.verapp -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.appser.verappdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.appser.verapp -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.appser.verappdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.appser.verapp
Processes
-
com.appser.verapp1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4319 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.appser.verapp/app_ded/oat/x86/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4344
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dexFilesize
1014KB
MD52e79475388ed68de19874e8642e2e889
SHA1073bc6e1e797fda6bf7ba0cb214784449d628016
SHA256e10fc5943cb761acee08addfc1fa8f0a2124b04013462a1a8705cda66fded91f
SHA51230381f7bab66304387612cb599f8d78cd43af180efe879485f2607f238740724ea6e884ba5f277730e8920378c8e8d9f8cd208f1c74840231a5a9caaf8dea430
-
/data/user/0/com.appser.verapp/app_ded/uHlnrRVmxchOwH1kmTPWu16NQwNxF40g.dexFilesize
1014KB
MD5c4af6838e919222677276875c4fa4467
SHA175aa2fe79992290a060b5211db3024eb0cc119ac
SHA256364fce5aefe1be918349973bc68d61f69b9b4ed907e99bd666908b4a2c89348b
SHA512833eb2f98572616bb9162da44c0266b965c0145ac97418d76426d52564da5338e6aa014f60458084ab4a81beda71284ea32eda11a8cacda7d36c4a88a2abbe1a
-
/storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txtFilesize
52B
MD5672fb66d48cbf8e9ba20841df68e5a7a
SHA1867e0e7181d23b849a4186b0ed1c89268040934c
SHA256d492658e77fa94e642d051f1326ebab86225c71eaa8f4b3dc124a19333114c4e
SHA512323cadd8d3c48a924c3b51a98b37af1b53d5d00de0970d69cd1281bbc192a37f05142bbbf56dacef57401754332bf694110097eaffee66d1b33a19f2e8499888
-
/storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txtFilesize
283B
MD5dcb51bd6d92d46e2a48946b546146ce0
SHA1159e22c4f3a02e09e971d6e52b436636a68ebe6f
SHA256c4ff2b567bfe390abac04b899e15bd35a531c82ba1417f768679faf8d0de7490
SHA5120111b024d94d5ad88d87a7a56a5480818423b463f7cce5be28b926ff5dbf076fc612334506b2035bf8b602edff953b584a31fd17e82f2582d97324f019c354b7
-
/storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txtFilesize
28B
MD5d2b49bb9a8a1e20f18508e760b47811d
SHA1e7c6a4de64f8a00ddc43c52edcb3a7d1bd5fe802
SHA2565105c68bc744dce2b52b19d8b7ef6b9798d5dc786a2c65750b8eabcf0d508e49
SHA512dd6cbce6e9dc9848c72181afbb7d0a6135c47bb1f1c4217cd29ec4603048622b2e30fb171a0be8ce09ae31db61503b5695abd6e5a1eaca34e4d0ae8a528996c2