Overview

overview

10

Static

static

6

Translate.apk

android-10-x64

7

Translate.apk

android-11-x64

7

Translate.apk

android-13-x64

7

childapp.apk

android-10-x64

10

childapp.apk

android-11-x64

10

childapp.apk

android-13-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    189s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240611.1-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
  • submitted
    17-06-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    childapp.apk

  • Size

    5.9MB

  • MD5

    4ba22114b4b4eabac35d708ceafda99b

  • SHA1

    5ba11a42028fcb4a43aea514d5f4247a22a93dbb

  • SHA256

    39d2d4af6ca442b175c40c0d608a8265dca4ab53e4859ad24789b23494bc8193

  • SHA512

    035a98995ec48a92aad98de6d5e652a03487120e664e2f8932c61b6316532ad439fb4e8f7500fe0edbe508a374ce2d4861baff0dbf1ee69c851666c64f5c5659

  • SSDEEP

    98304:9oMU1WRYSale8PkTGBD9xvgbHDHFIzmWAfaCsMul+hlX7/RatQOErR2qdD4SKG2H:mxSale8PfTBgzDq0iFMul6Atid8Xb1O+

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

spynote

C2

kyabhai.duckdns.org:8080

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 16 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • editor.disciplines.fail
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4655

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/editor.disciplines.fail/app_ded/sgFAFasunMfOMFQDgxhfRODB1BoBHorD.dex
    Filesize

    3.3MB

    MD5

    8207981590d82bc36b9dbe639b72e315

    SHA1

    2051b80b757df1ae184354eac86659acaf5f479c

    SHA256

    36a6bab79f7ea03e0bf4448abfb073733299859243fe08b12582a2eb2039db1f

    SHA512

    33cf767d56dffec4f2a80f3a142a30302384fb713f805aec98bea7b0783794b8c690ed665af10e22c0d11684fd2cb5937d7a808ab29c3af7819cd97c56382d54

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    37B

    MD5

    f916cf4c489b83017f51dc0220a057f0

    SHA1

    9650565237f3679ac86d6af49ddeaf2287ce3cc7

    SHA256

    0b2e5ed3aeef947c4910362b2cd1440b65367120f9dedbe81f54329f48052b5d

    SHA512

    a6dc92973100377f401506fd3928a4682a4abdecc3230b83574d4fc4838bc83f4dbab8fc3eb1ff117583473baacfbf07f8ed12a69b76c82f4b012eada4c3bf69

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    33B

    MD5

    457bb67ebbcfd6615a72a57bbaba8611

    SHA1

    800c43984ec29c34462d915109edd5202c28b74e

    SHA256

    a7f63da9797585957f923d9226c697d5d3d80c059b3b381baaff04c6c73b8a10

    SHA512

    dd94d35b710137a719ef3ada6f609ef1d05b96e2a32e2c8435809786095db09a049b8aa2e9c40de7af941be67904eecff76b22c4470f57d23a7b3c31970c02ae

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit
  • /storage/emulated/0/Config/sys/apps/log/log-2024-06-17.txt
    Filesize

    288B

    MD5

    955b1aed0f6c05fb23a40440b4043fc3

    SHA1

    4738b47857c456b449f2af3ba319336f5ea2a21e

    SHA256

    524b798967b28d43c5cff0a538a24d6c71be17789186bd1095ba36156e377373

    SHA512

    76757980d4f8d7bc338c8ba2c6f2881a602bc143f2645e0a3be7c864aa151bac589d9802ac27dcbb2d7207088d7fbec1f0a18c567ca700a45bcfc22dc9d6e51f

    Download Submit