Analysis
-
max time kernel
178s -
max time network
135s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
25-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
miui _securitym.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
miui _securitym.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
miui _securitym.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
miui _securitym.apk
-
Size
4.8MB
-
MD5
3f59e1ea2c222a211f5643e50a256875
-
SHA1
2f68a1f887edf0535d62a1e05bf02976d645cb76
-
SHA256
8afc8b1d6f9c36304475b04b97bf404b789a3994f5f1aea6c480497e8b2f8ab1
-
SHA512
d9e3acc8c5073fd2ec89c5f974465e0f7fdbcf4d5ea101e9ba64199c807ad7110ed4cd9c1142d9cff025565fb1bfb788190b13cce131105ea9f17ed21acdc053
-
SSDEEP
98304:QKpHnqE7ztN2SChf3AODU3ZiMrdH12Hu6EU2rv6S3LaP44FRix4Ovw7Qyb3tE:QKNqE9QSChvAODg5dVB6EU297OFRiKfI
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote payload 2 IoCs
Processes:
resource yara_rule /data/data/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex family_spynote /data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex family_spynote -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Processes:
com.miui.tencent.securitypid process 4267 com.miui.tencent.security -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.miui.tencent.security/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.miui.tencent.security/app_ded/oat/x86/sRCO464iJiUGTlDuUZY5KWScpfSh153d.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex 4267 com.miui.tencent.security /data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex 4294 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.miui.tencent.security/app_ded/oat/x86/sRCO464iJiUGTlDuUZY5KWScpfSh153d.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex 4267 com.miui.tencent.security -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.miui.tencent.securitydescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.miui.tencent.security -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.miui.tencent.securitydescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.miui.tencent.security -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.miui.tencent.securitydescription ioc process Framework API call javax.crypto.Cipher.doFinal com.miui.tencent.security
Processes
-
com.miui.tencent.security1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4267 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.miui.tencent.security/app_ded/sRCO464iJiUGTlDuUZY5KWScpfSh153d.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.miui.tencent.security/app_ded/oat/x86/sRCO464iJiUGTlDuUZY5KWScpfSh153d.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4294
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD5723f465939d7ea8f23c82e4c590d8efa
SHA19e6ff456ef587af71b89fae3e9d05717f77144bc
SHA25638a023f21bb7e4d95c5d100ab63ff3598f5d6dca2bd12c48120150fa18917614
SHA512f2c1538409e357c464b723a56b7f24650a231d34e59f286bd85a1a209129c1662f9ac6d19ad101f9fe16a16fc910602850d0f66f85fb9101cd5dcde1539090c0
-
Filesize
572KB
MD505bcf67aebb42c36319fca954665ff3d
SHA12fac23128fc7e7c8545968448d93fc6cc75a188c
SHA256e250a0489a1bd8e799a3f540ed5877b7fef910cb99d4da76534661bf2f51f4c6
SHA512c170e77a0f51244bb0a7d0ef64c708460b9cfe1e8851dae22e80fe6b75394f7a2598ea7fe17490c047e77baeb68024ec97a5b622b987027d3599778ee4c2e06c