Overview

overview

10

Static

static

6

Temp_20Mail.apk

android-11-x64

10

Temp_20Mail.apk

android-13-x64

10

Temp_20Mail.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240611.1-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
  • submitted
    17-06-2024 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Temp_20Mail.apk

  • Size

    3.0MB

  • MD5

    0870496d78aa5b59ad57e914c1d5f6b0

  • SHA1

    5b9bfa06d05172f61d1ee19724fcd12cec110353

  • SHA256

    07346cf8ba8cba881250023326382b88dcf4247cfa64501ccc560667614a7297

  • SHA512

    7d6fa2a95a198d9486fe924d1098d6761d6b36df4c76db502c6a6cc7123621449711e394d6a61a2024bf8e85b556c391e58354d02f03bb9d7ab710ebeba81876

  • SSDEEP

    49152:xcueXk4qYTmiO+KyYWWLPke4H0F7ZbS8ULmc/hcRGU3DrZb:eue5NO4YuUzXUac/WRGU3DVb

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

spynote

C2

156.245.20.17:7771

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • updates.teens.sa
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Schedules tasks to execute at a specified time
    PID:4710

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.bin
    Filesize

    4.0MB

    MD5

    50c6d6acf87e5fc31279bbcab6e658d2

    SHA1

    3277812d5668f83f4d0f0da6a271d4b77846779e

    SHA256

    95cd7ea94c69d01216dfea9a1b5a6122d5c8ed7bf8c1baf7c37d069c5c4ca671

    SHA512

    6817015f04e265f9cb7d2d5982d942d54ea5aaa1a4bb0a53d580ba4749b416608c150e5063e13ed8ae576607053e25c2f6838a0bffe3449782775ffc39676e41

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    25B

    MD5

    455606a8ce76478454a9271cf0cd20f8

    SHA1

    dfd6238c9fb16d16a71a1f7e616d65974bc69036

    SHA256

    ac0b11d28c0ed6926261a37d2e5fb0ad65550de1817abd40681e3847fa1289f4

    SHA512

    b8d57cdeed494bb0de7e709bd37d21a9c4781f03bee988287bc93c11a60ac90332838b5a4a8c041173a43123b76863ac1a0ea676c7aec46294c81c136400aa10

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    33B

    MD5

    ae6301b417a4058b1c66e9017db594ce

    SHA1

    88a29b5b61835f8d651cf7c3826bf5c42986ad83

    SHA256

    453558b4a2507eea7ee276b772cdcbf902de9957859a974d51c6865d844f33a3

    SHA512

    28011a6d9c2d5eee1c907a47994c6e116fefcf8df67f4b55f08b6c70ef44f7922fa09dddfacf4b2a1071c80ece7e52dd1ab7b4b86906bd3186a427785e8d5d3d

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    25B

    MD5

    fd8ed43ac31bbf329c395582c15753cd

    SHA1

    3c76ee3fa79dde645c0447d6b23d6f435efb3b72

    SHA256

    049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf

    SHA512

    77bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    29B

    MD5

    51e694be4f0e99e0773211566a1f61a9

    SHA1

    01bbd182b6eff74be8145e94aadb401bb45b3155

    SHA256

    323570c39e1d705541858e0b57bcd4d2341c745af2ff8873f27e676d0132408e

    SHA512

    19f3323acbaa77e9de3884cdbdc5bbee38cf18492931aaf206c76052e0b2f1390510bd8c15d2d27d9128194e3df81577faad9695ff7449a373860c69c26a9265

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    57B

    MD5

    c38f5d69ff6dccdf85f54387342d579a

    SHA1

    5a3b9db0a627adb77e158e5699b363508b9460b0

    SHA256

    c1ba635dfbc4ea8ea5f7330d5a4516a43e2640f0e4912ce45d6a0214434f6fad

    SHA512

    c1e4010a742076ceb47a9f515ee3385cade339d8377345e6a38e9e72db5771260c19c9328d7cce0f1df3a82b016040d9e8b13306443b211c7febd1bb856af58a

    Download Submit