Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-33-x64-arm64-20240611.1-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240611.1-enlocale:en-usos:android-13-x64system -
submitted
17-06-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
Temp_20Mail.apk
Resource
android-x64-arm64-20240611.1-en
Behavioral task
behavioral2
Sample
Temp_20Mail.apk
Resource
android-33-x64-arm64-20240611.1-en
Behavioral task
behavioral3
Sample
Temp_20Mail.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
Temp_20Mail.apk
-
Size
3.0MB
-
MD5
0870496d78aa5b59ad57e914c1d5f6b0
-
SHA1
5b9bfa06d05172f61d1ee19724fcd12cec110353
-
SHA256
07346cf8ba8cba881250023326382b88dcf4247cfa64501ccc560667614a7297
-
SHA512
7d6fa2a95a198d9486fe924d1098d6761d6b36df4c76db502c6a6cc7123621449711e394d6a61a2024bf8e85b556c391e58354d02f03bb9d7ab710ebeba81876
-
SSDEEP
49152:xcueXk4qYTmiO+KyYWWLPke4H0F7ZbS8ULmc/hcRGU3DrZb:eue5NO4YuUzXUac/WRGU3DVb
Malware Config
Extracted
spynote
156.245.20.17:7771
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
updates.teens.saioc pid process /data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.bin 4239 updates.teens.sa -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
updates.teens.sadescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId updates.teens.sa -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
updates.teens.sadescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock updates.teens.sa -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
updates.teens.sadescription ioc process Framework service call android.app.IActivityManager.setServiceForeground updates.teens.sa -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
updates.teens.sadescription ioc process Framework service call android.app.job.IJobScheduler.schedule updates.teens.sa
Processes
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.binFilesize
4.0MB
MD550c6d6acf87e5fc31279bbcab6e658d2
SHA13277812d5668f83f4d0f0da6a271d4b77846779e
SHA25695cd7ea94c69d01216dfea9a1b5a6122d5c8ed7bf8c1baf7c37d069c5c4ca671
SHA5126817015f04e265f9cb7d2d5982d942d54ea5aaa1a4bb0a53d580ba4749b416608c150e5063e13ed8ae576607053e25c2f6838a0bffe3449782775ffc39676e41
-
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txtFilesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txtFilesize
33B
MD59fd4ac5761024c8a9d1667947c9554bc
SHA1ca91637b959b955e9d701bbd23dd469ed2b91f1c
SHA2566469be6ec15d0e3806a4f7269575c975cd67cfb4bf72dfbca925639b5f9aed59
SHA51270442911c6a8751e66b4ba40935d77816ffa41b3c653178a6efe42e1be1eba6b9c91d2dedd009fc707cec2fd01956582aa93ca83f85599cc624cce559b9e3a9d
-
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txtFilesize
57B
MD55f0ea816557f7174dbdda00315e60145
SHA1e7f8b8a1fb0ce1d4e76a91fdcbb3a9a56c053117
SHA256ee0b80df14d841d339e20693a3e9c6038c5b291142f0ad8ca9f7fba93067834c
SHA5128cc59d9889d9e454119deba0f0ae5657b276dac27c769e848636f422c0f212424e22ca0814a103d4e0f771e6e637d550cd9d36dcf14dc26fdb05e1b43bd338d0