spynote | 07346cf8ba8cba881250023326382b88dcf4247cfa64501ccc560667614a7297

Analysis

max time kernel
179s
max time network
187s
platform
android_x64
resource
android-33-x64-arm64-20240611.1-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240611.1-enlocale:en-usos:android-13-x64system
submitted
17-06-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp_20Mail.apk
Size

3.0MB
MD5

0870496d78aa5b59ad57e914c1d5f6b0
SHA1

5b9bfa06d05172f61d1ee19724fcd12cec110353
SHA256

07346cf8ba8cba881250023326382b88dcf4247cfa64501ccc560667614a7297
SHA512

7d6fa2a95a198d9486fe924d1098d6761d6b36df4c76db502c6a6cc7123621449711e394d6a61a2024bf8e85b556c391e58354d02f03bb9d7ab710ebeba81876
SSDEEP

49152:xcueXk4qYTmiO+KyYWWLPke4H0F7ZbS8ULmc/hcRGU3DrZb:eue5NO4YuUzXUac/WRGU3DVb

Score

10^/10

spynote banker collection credential_access discovery evasion execution infostealer persistence rat trojan

Malware Config

Extracted

Family

spynote

156.245.20.17:7771

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

updates.teens.sa

ioc pid process

/data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.bin 4239 updates.teens.sa

ioc	pid	process
/data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.bin	4239	updates.teens.sa

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

updates.teens.sa

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	updates.teens.sa

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Acquires the wake lock 1 IoCs

Processes:

updates.teens.sa

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock updates.teens.sa
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

updates.teens.sa

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground updates.teens.sa
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

updates.teens.sa

description ioc process

Framework service call android.app.job.IJobScheduler.schedule updates.teens.sa

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	updates.teens.sa

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	updates.teens.sa

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	updates.teens.sa

updates.teens.sa
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
PID:4239

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/updates.teens.sa/app_apkprotector_dex/classes-v1.bin
Filesize
4.0MB

MD5
50c6d6acf87e5fc31279bbcab6e658d2

SHA1
3277812d5668f83f4d0f0da6a271d4b77846779e

SHA256
95cd7ea94c69d01216dfea9a1b5a6122d5c8ed7bf8c1baf7c37d069c5c4ca671

SHA512
6817015f04e265f9cb7d2d5982d942d54ea5aaa1a4bb0a53d580ba4749b416608c150e5063e13ed8ae576607053e25c2f6838a0bffe3449782775ffc39676e41

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
Filesize
33B

MD5
9fd4ac5761024c8a9d1667947c9554bc

SHA1
ca91637b959b955e9d701bbd23dd469ed2b91f1c

SHA256
6469be6ec15d0e3806a4f7269575c975cd67cfb4bf72dfbca925639b5f9aed59

SHA512
70442911c6a8751e66b4ba40935d77816ffa41b3c653178a6efe42e1be1eba6b9c91d2dedd009fc707cec2fd01956582aa93ca83f85599cc624cce559b9e3a9d

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
Filesize
57B

MD5
5f0ea816557f7174dbdda00315e60145

SHA1
e7f8b8a1fb0ce1d4e76a91fdcbb3a9a56c053117

SHA256
ee0b80df14d841d339e20693a3e9c6038c5b291142f0ad8ca9f7fba93067834c

SHA512
8cc59d9889d9e454119deba0f0ae5657b276dac27c769e848636f422c0f212424e22ca0814a103d4e0f771e6e637d550cd9d36dcf14dc26fdb05e1b43bd338d0

Download Submit