Overview
overview
10Static
static
10SpyNote_v6...pi.dll
windows7-x64
1SpyNote_v6...6.html
windows7-x64
1SpyNote_v6...2.html
windows7-x64
1SpyNote_v6...9.html
windows7-x64
1SpyNote_v6...SM.dll
windows7-x64
1SpyNote_v6...SL.exe
windows7-x64
1apktool/apktool.bat
windows7-x64
1apktool/apktool.jar
windows7-x64
1apktool/signapk.jar
windows7-x64
1SpyNote_v6...ub.apk
windows7-x64
3SpyNote_v6...va.jar
windows7-x64
1SpyNote_v6...sS.exe
windows7-x64
1platform-t...pi.dll
windows7-x64
3platform-t...pi.dll
windows7-x64
1platform-t...db.exe
windows7-x64
1platform-t...mp.exe
windows7-x64
1platform-t...ol.exe
windows7-x64
1platform-t...ot.exe
windows7-x64
1platform-t...nv.exe
windows7-x64
1platform-t...c++.so
windows7-x64
3platform-t...-1.dll
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...e3.exe
windows7-x64
1platform-t...t__.py
windows7-x64
3platform-t...ror.py
windows7-x64
3platform-t...per.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t..._tests
windows7-x64
1SpyNote_v6...in.exe
windows7-x64
1SpyNote_v6...te.exe
windows7-x64
5Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 08:47
Behavioral task
behavioral1
Sample
SpyNote_v6.4/CoreAudioApi.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SpyNote_v6.4/Resources/Clients/KingB_354051091211537/Settings/2021-11-9--11-07-16.html
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Apps/2021-27-9--17-10-52.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Settings/2021-27-9--17-12-59.html
Resource
win7-20240419-en
Behavioral task
behavioral5
Sample
SpyNote_v6.4/Resources/Imports/Gsm/GSM.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SpyNote_v6.4/Resources/Imports/Payload/SL.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
apktool/apktool.bat
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
apktool/apktool.jar
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
apktool/signapk.jar
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
SpyNote_v6.4/Resources/Imports/Payload/stub.apk
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
SpyNote_v6.4/Resources/Imports/PlayerJava/PlayerJava.jar
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
SpyNote_v6.4/Resources/Imports/T/sS.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
platform-tools/AdbWinApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
platform-tools/AdbWinUsbApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
platform-tools/adb.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
platform-tools/dmtracedump.exe
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
platform-tools/etc1tool.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
platform-tools/fastboot.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
platform-tools/hprof-conv.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
platform-tools/lib64/libc++.so
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
platform-tools/libwinpthread-1.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
platform-tools/make_f2fs.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
platform-tools/mke2fs.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
platform-tools/sqlite3.exe
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
platform-tools/systrace/catapult/common/battor/battor/__init__.py
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_error.py
Resource
win7-20240419-en
Behavioral task
behavioral27
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper.py
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_devicetest.py
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_unittest.py
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
platform-tools/systrace/catapult/common/battor/bin/run_py_tests
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
SpyNote_v6.4/Resources/Imports/platform-tools/plwin.exe
Resource
win7-20240215-en
Behavioral task
behavioral32
Sample
SpyNote_v6.4/SpyNote.exe
Resource
win7-20240508-en
General
-
Target
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper.py
-
Size
15KB
-
MD5
d2a93ab365251001f39f0a71feac5275
-
SHA1
1bf9854bad16f14de0b74eb7efcd2671b0b8db7c
-
SHA256
fbacb34ebd9b4af177f818f5cd0724c91c4ed1085cf1bd70eee9ae4115d112c9
-
SHA512
bbafd95d57ccabd4f11c15a3264761d329554ca429219dd855353a4a8dd9cef53fe20819bded5f8f4dbaf2b04dd9bf5930852aa3a33521362b0b751e66cab825
-
SSDEEP
384:SzxnQF5rr+ZTADM6uJE0x96JQNo3OUBete/rU72hT:UxnQF5zDB77ele/b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2696 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2696 AcroRd32.exe 2696 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2884 wrote to memory of 2088 2884 cmd.exe rundll32.exe PID 2884 wrote to memory of 2088 2884 cmd.exe rundll32.exe PID 2884 wrote to memory of 2088 2884 cmd.exe rundll32.exe PID 2088 wrote to memory of 2696 2088 rundll32.exe AcroRd32.exe PID 2088 wrote to memory of 2696 2088 rundll32.exe AcroRd32.exe PID 2088 wrote to memory of 2696 2088 rundll32.exe AcroRd32.exe PID 2088 wrote to memory of 2696 2088 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD55041804f15b98a35e9a590f152d2354c
SHA12ee0eb5a73ea3f8110c636ca1ea2de7a59e10537
SHA256a7dda13511be30ff3653e6d950de5b8412db802b2e3a1230d4584ee057d413b6
SHA51215bbc47c4bc883b5793b23a4dd56e700c5795dd38cccab80263a57a16f2f52e1ce7c471cd4256ab210a306c62681cc0a9de12be6fc3044cee01eafdeb94ebe86