Overview
overview
10Static
static
10SpyNote_v6...pi.dll
windows7-x64
1SpyNote_v6...6.html
windows7-x64
1SpyNote_v6...2.html
windows7-x64
1SpyNote_v6...9.html
windows7-x64
1SpyNote_v6...SM.dll
windows7-x64
1SpyNote_v6...SL.exe
windows7-x64
1apktool/apktool.bat
windows7-x64
1apktool/apktool.jar
windows7-x64
1apktool/signapk.jar
windows7-x64
1SpyNote_v6...ub.apk
windows7-x64
3SpyNote_v6...va.jar
windows7-x64
1SpyNote_v6...sS.exe
windows7-x64
1platform-t...pi.dll
windows7-x64
3platform-t...pi.dll
windows7-x64
1platform-t...db.exe
windows7-x64
1platform-t...mp.exe
windows7-x64
1platform-t...ol.exe
windows7-x64
1platform-t...ot.exe
windows7-x64
1platform-t...nv.exe
windows7-x64
1platform-t...c++.so
windows7-x64
3platform-t...-1.dll
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...fs.exe
windows7-x64
1platform-t...e3.exe
windows7-x64
1platform-t...t__.py
windows7-x64
3platform-t...ror.py
windows7-x64
3platform-t...per.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t...est.py
windows7-x64
3platform-t..._tests
windows7-x64
1SpyNote_v6...in.exe
windows7-x64
1SpyNote_v6...te.exe
windows7-x64
5Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 08:47
Behavioral task
behavioral1
Sample
SpyNote_v6.4/CoreAudioApi.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SpyNote_v6.4/Resources/Clients/KingB_354051091211537/Settings/2021-11-9--11-07-16.html
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Apps/2021-27-9--17-10-52.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SpyNote_v6.4/Resources/Clients/Vicitim_354051091211537/Settings/2021-27-9--17-12-59.html
Resource
win7-20240419-en
Behavioral task
behavioral5
Sample
SpyNote_v6.4/Resources/Imports/Gsm/GSM.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SpyNote_v6.4/Resources/Imports/Payload/SL.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
apktool/apktool.bat
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
apktool/apktool.jar
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
apktool/signapk.jar
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
SpyNote_v6.4/Resources/Imports/Payload/stub.apk
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
SpyNote_v6.4/Resources/Imports/PlayerJava/PlayerJava.jar
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
SpyNote_v6.4/Resources/Imports/T/sS.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
platform-tools/AdbWinApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
platform-tools/AdbWinUsbApi.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
platform-tools/adb.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
platform-tools/dmtracedump.exe
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
platform-tools/etc1tool.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
platform-tools/fastboot.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
platform-tools/hprof-conv.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
platform-tools/lib64/libc++.so
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
platform-tools/libwinpthread-1.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
platform-tools/make_f2fs.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
platform-tools/mke2fs.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
platform-tools/sqlite3.exe
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
platform-tools/systrace/catapult/common/battor/battor/__init__.py
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_error.py
Resource
win7-20240419-en
Behavioral task
behavioral27
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper.py
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_devicetest.py
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_unittest.py
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
platform-tools/systrace/catapult/common/battor/bin/run_py_tests
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
SpyNote_v6.4/Resources/Imports/platform-tools/plwin.exe
Resource
win7-20240215-en
Behavioral task
behavioral32
Sample
SpyNote_v6.4/SpyNote.exe
Resource
win7-20240508-en
General
-
Target
platform-tools/systrace/catapult/common/battor/battor/battor_wrapper_unittest.py
-
Size
13KB
-
MD5
e41fab7141cd0516d3a20b342bd83957
-
SHA1
dfa32ae0417b76ed4f5fb81334b74fcf2fe6a146
-
SHA256
c8eb91f0d2b7ecd7a2dd32416d8068d9f1154f68899ffeb6800b341048b462d1
-
SHA512
822d07458fe261158a118b794f6e3c1ec6c9bf9941d3c5f505321c5a1820f688c16fd45d9dafdc3947f790bea32551a696f25f1539efc7df953288a9dfc41530
-
SSDEEP
192:S+gTLCAcAXAMBYhuAdAAcAk6Vooj6ASE1OAS7DKtwQrS+O3ZTrb9KPVvDoIskeFH:SwMU2voq
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\py_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2652 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2652 AcroRd32.exe 2652 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1704 wrote to memory of 2736 1704 cmd.exe rundll32.exe PID 1704 wrote to memory of 2736 1704 cmd.exe rundll32.exe PID 1704 wrote to memory of 2736 1704 cmd.exe rundll32.exe PID 2736 wrote to memory of 2652 2736 rundll32.exe AcroRd32.exe PID 2736 wrote to memory of 2652 2736 rundll32.exe AcroRd32.exe PID 2736 wrote to memory of 2652 2736 rundll32.exe AcroRd32.exe PID 2736 wrote to memory of 2652 2736 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper_unittest.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper_unittest.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platform-tools\systrace\catapult\common\battor\battor\battor_wrapper_unittest.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD502cd836b855383681e20b6f800b6b7ce
SHA1e501ff11f2a4c831c284e3b35d11ef29d8771787
SHA256aa496dac0d0f742bff0d1da0a82d86cea5813f2bc02d6c0da911f1a3b5efbb59
SHA5126e791561affd1098af73701a350a91b26ebaac3aaa6222b6d9d1a107571845d6b062da03760f52a994b513737e7ed716dfcc1b0369c4acac9561667a2d96d6fe