Overview

overview

10

Static

static

6

upgrade.apk

android-9-x86

7

upgrade.apk

android-10-x64

7

upgrade.apk

android-11-x64

7

childapp.apk

android-9-x86

10

childapp.apk

android-10-x64

10

childapp.apk

android-11-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    189s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    21-05-2024 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    childapp.apk

  • Size

    3.1MB

  • MD5

    2b499c1a64c45ce2959eb18fe64b2a6c

  • SHA1

    0466e8938274b0c7c20c10c462452f6669dbd559

  • SHA256

    38f104e1ebe425c3c3d00fc4e7d0e516173cf3ffb0774031514fc1b8ed6f212d

  • SHA512

    c80c58bbb68e65694e45a7914b2f7687eb91c58a9f0bcaffc1eaeda4c358fe82e7201d11178b27da17df63d83c72e41faed08439690de256f2533e0e4702a6c8

  • SSDEEP

    49152:EqjG1eSMlFIOW2B/pQYqjA8gAI0O2Aw/moHNebj+V+iKZtl8cPBuI3FS:EqCzMk2tq2307jebDiK3l8ML4

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

chutiyahaitu.duckdns.org:chutiyahaitu.duckdns.org:8080:8080

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.appser.verapp
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4499

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.appser.verapp/app_ded/4OvCgj16GI4EciCgW9ki6UYfjKlP9oBl.dex
    Filesize

    1014KB

    MD5

    2e79475388ed68de19874e8642e2e889

    SHA1

    073bc6e1e797fda6bf7ba0cb214784449d628016

    SHA256

    e10fc5943cb761acee08addfc1fa8f0a2124b04013462a1a8705cda66fded91f

    SHA512

    30381f7bab66304387612cb599f8d78cd43af180efe879485f2607f238740724ea6e884ba5f277730e8920378c8e8d9f8cd208f1c74840231a5a9caaf8dea430

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    52B

    MD5

    672fb66d48cbf8e9ba20841df68e5a7a

    SHA1

    867e0e7181d23b849a4186b0ed1c89268040934c

    SHA256

    d492658e77fa94e642d051f1326ebab86225c71eaa8f4b3dc124a19333114c4e

    SHA512

    323cadd8d3c48a924c3b51a98b37af1b53d5d00de0970d69cd1281bbc192a37f05142bbbf56dacef57401754332bf694110097eaffee66d1b33a19f2e8499888

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    283B

    MD5

    494b261a53c279b6df8f016f074c7260

    SHA1

    ed88aa75b0cf8f53a9edd53f0cd8e3c6425b12c6

    SHA256

    c1e90db2a6b9dadcb1a68b54466bcd22ed27f026df0c2e5d42314636c98d64ea

    SHA512

    104a53f5776dd97f8a3f1c493825644a69c8d439cc841ed577ec538901e9501ab232841844ae6a7f67a730fcf6b896be5eaabd5de3f9b462d20b8dd3aa139b02

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-21.txt
    Filesize

    28B

    MD5

    b526759c1c5f32d1e480f73d98684568

    SHA1

    205b4553d10be5cabdfca65e5461d427b656546d

    SHA256

    891362c5fb40d06ac17d0df709f7ddd1984669e7a4a0528b5ad2fdab483a30d4

    SHA512

    63187d02028571c51ade3468a429a987b5d3d5b811b4b5a8bc82a82af8fa8160eadc973398cf4a5e27dec925e288f8528a4e795119a49b532cd60f265b777c07

    Download Submit