Overview
overview
10Static
static
10SpyNote_v6...pi.dll
windows7-x64
1SpyNote_v6...6.html
windows7-x64
1SpyNote_v6...2.html
windows7-x64
1SpyNote_v6...9.html
windows7-x64
1SpyNote_v6...SM.dll
windows7-x64
1SpyNote_v6...SL.exe
windows7-x64
1apktool/apktool.bat
windows7-x64
1apktool/apktool.jar
windows7-x64
1apktool/signapk.jar
windows7-x64
1SpyNote_v6...ub.apk
windows7-x64
3SpyNote_v6...va.jar
windows7-x64
1SpyNote_v6...sS.exe
windows7-x64
1platform-t...pi.dll
windows7-x64
3platform-t...pi.dll
windows7-x64
1platform-t...db.exe
windows7-x64
1platform-t...mp.exe
windows7-x64
1platform-t...ol.exe
windows7-x64
1platform-t...ot.exe
windows7-x64
1platform-t...nv.exe
windows7-x64
1platform-t...c++.so
windows7-x64
3platform-t...-1.dll
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...e3.exe
windows7-x64
1platform-t...t__.py
windows7-x64
3platform-t...ror.py
windows7-x64
3platform-t...per.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t..._tests
windows7-x64
1SpyNote_v6...in.exe
windows7-x64
1SpyNote_v6...te.exe
windows7-x64
5Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 08:47
Behavioral task
behavioral1
Sample
SpyNote_v6.4/CoreAudioApi.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SpyNote_v6.4/Resources/Clients/KingB_354051091211537/Settings/2021-11-9--11-07-16.html
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Apps/2021-27-9--17-10-52.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Settings/2021-27-9--17-12-59.html
Resource
win7-20240419-en
Behavioral task
behavioral5
Sample
SpyNote_v6.4/Resources/Imports/Gsm/GSM.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SpyNote_v6.4/Resources/Imports/Payload/SL.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
apktool/apktool.bat
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
apktool/apktool.jar
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
apktool/signapk.jar
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
SpyNote_v6.4/Resources/Imports/Payload/stub.apk
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
SpyNote_v6.4/Resources/Imports/PlayerJava/PlayerJava.jar
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
SpyNote_v6.4/Resources/Imports/T/sS.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
platform-tools/AdbWinApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
platform-tools/AdbWinUsbApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
platform-tools/adb.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
platform-tools/dmtracedump.exe
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
platform-tools/etc1tool.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
platform-tools/fastboot.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
platform-tools/hprof-conv.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
platform-tools/lib64/libc++.so
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
platform-tools/libwinpthread-1.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
platform-tools/make_f2fs.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
platform-tools/mke2fs.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
platform-tools/sqlite3.exe
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
platform-tools/systrace/catapult/common/battor/battor/__init__.py
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_error.py
Resource
win7-20240419-en
Behavioral task
behavioral27
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper.py
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_devicetest.py
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_unittest.py
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
platform-tools/systrace/catapult/common/battor/bin/run_py_tests
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
SpyNote_v6.4/Resources/Imports/platform-tools/plwin.exe
Resource
win7-20240215-en
Behavioral task
behavioral32
Sample
SpyNote_v6.4/SpyNote.exe
Resource
win7-20240508-en
General
-
Target
platform-tools/systrace/catapult/common/battor/battor/__init__.py
-
Size
1012B
-
MD5
4a275f2b0004229f8139d160a78c8160
-
SHA1
cc39f21bf20dc2c3cec76fb71f8c82e1fec330f0
-
SHA256
3802690854d1135413a8946b5f355ccc580c974a289a13e72fe98ef8a8f900a5
-
SHA512
539c630a59b2ed1593483d4c853192c0cd041d816b9367d843510ecf2f992812323422523cb545f437cfd2382607d50b24567645228b0a3cf033896be69b94e9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2768 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2768 AcroRd32.exe 2768 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2252 wrote to memory of 2524 2252 cmd.exe rundll32.exe PID 2252 wrote to memory of 2524 2252 cmd.exe rundll32.exe PID 2252 wrote to memory of 2524 2252 cmd.exe rundll32.exe PID 2524 wrote to memory of 2768 2524 rundll32.exe AcroRd32.exe PID 2524 wrote to memory of 2768 2524 rundll32.exe AcroRd32.exe PID 2524 wrote to memory of 2768 2524 rundll32.exe AcroRd32.exe PID 2524 wrote to memory of 2768 2524 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\__init__.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\__init__.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\__init__.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD54ec77604eabaf571cc37091df5bda9cd
SHA1c68b14ccbab8d1d3859db6a2b2445384041f8e00
SHA2569dee2193f14efe3206b2a0e840c78e6ea1414675d7321692c6a7a542219f1589
SHA512c9b7217a1f39496249368ef35135abffc7f8b44377482fcc56ac0834afa59af0fb411dd49e53391cef6a9e4b918777e75ba215b840553ea41e6ea1867ffdfb3e