Overview

overview

10

Static

static

6

Translate.apk

android-10-x64

7

Translate.apk

android-11-x64

7

Translate.apk

android-13-x64

7

childapp.apk

android-10-x64

10

childapp.apk

android-11-x64

10

childapp.apk

android-13-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Translate.apk

  • Size

    11.6MB

  • Sample

    240617-lwchbavhme

  • MD5

    224b0bc609b3ae5226c66ce80ab882aa

  • SHA1

    3aad911b21907053a69b49086a6396c50714accb

  • SHA256

    197fc60029137c2da90914897d13c1b1af03391542f5b3fbac5cc5b8e8053a7e

  • SHA512

    caa84f65cebc7429594f9e0239682476f7a29cec596a46d22699f5f9c6a594ebfceb682bcb2b204e29411f8773bca80f581099328a74c402cde9af2ea51ff18c

  • SSDEEP

    196608:akAXX5HJwFmzIjgG0zwxBCc3E97gyNMwNXXeuzoyy/SbdTBm4f2hMYKZowfz6KKp:ak6JHKFmuf0zi3ENrNb+uty/SbChM+Dp

Score
10/10
spynoteandroidbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

spynote

C2

kyabhai.duckdns.org:8080

Targets

    • Target

      Translate.apk

    • Size

      11.6MB

    • MD5

      224b0bc609b3ae5226c66ce80ab882aa

    • SHA1

      3aad911b21907053a69b49086a6396c50714accb

    • SHA256

      197fc60029137c2da90914897d13c1b1af03391542f5b3fbac5cc5b8e8053a7e

    • SHA512

      caa84f65cebc7429594f9e0239682476f7a29cec596a46d22699f5f9c6a594ebfceb682bcb2b204e29411f8773bca80f581099328a74c402cde9af2ea51ff18c

    • SSDEEP

      196608:akAXX5HJwFmzIjgG0zwxBCc3E97gyNMwNXXeuzoyy/SbdTBm4f2hMYKZowfz6KKp:ak6JHKFmuf0zi3ENrNb+uty/SbChM+Dp

    Score
    7/10
    evasionimpactpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion
    behavioral1behavioral2behavioral3

    • Target

      childapp.apk

    • Size

      5.9MB

    • MD5

      4ba22114b4b4eabac35d708ceafda99b

    • SHA1

      5ba11a42028fcb4a43aea514d5f4247a22a93dbb

    • SHA256

      39d2d4af6ca442b175c40c0d608a8265dca4ab53e4859ad24789b23494bc8193

    • SHA512

      035a98995ec48a92aad98de6d5e652a03487120e664e2f8932c61b6316532ad439fb4e8f7500fe0edbe508a374ce2d4861baff0dbf1ee69c851666c64f5c5659

    • SSDEEP

      98304:9oMU1WRYSale8PkTGBD9xvgbHDHFIzmWAfaCsMul+hlX7/RatQOErR2qdD4SKG2H:mxSale8PfTBgzDq0iFMul6Atid8Xb1O+

    Score
    10/10
    spynotebankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

    • Spynote

      Spynote is a Remote Access Trojan first seen in 2017.

      bankertrojaninfostealerratspynote

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Matrix

Tasks