Overview

overview

10

Static

static

6

28c6aba9cd...32.apk

android-9-x86

10

28c6aba9cd...32.apk

android-10-x64

10

28c6aba9cd...32.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01/10/2024, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28c6aba9cd546e4d049e1da7f592706dd969cd492252a9155fb728747eb8ad32.apk

  • Size

    2.9MB

  • MD5

    b74f8fa7b3e078201eefd0caec46728e

  • SHA1

    e9b17b0168f135e5060c32ff4c3b0a5e8d9549f7

  • SHA256

    28c6aba9cd546e4d049e1da7f592706dd969cd492252a9155fb728747eb8ad32

  • SHA512

    8dec1bed11a505ff829c8634b1d28d722ca8f3c678c7194794e52cf1970e93e36280f7b1f6bd95ad6162a232ae5a8927af069af8f819c99c56f8ec7551f4e4de

  • SSDEEP

    49152:H6cLz9gEv5b4cRjpX8hSYk8d7oaO/zuYLpTBy4tj0CHSfquzGO3ZuZi4/nzB94qg:HxTv5b4cRjpX8T9NoX3Lp9y4+nyu8ZiN

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

217.114.43.238:15888

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • very.longitude.adams
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4252
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/very.longitude.adams/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/very.longitude.adams/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/very.longitude.adams/app_mph_dex/classes.dex
    Filesize

    3.3MB

    MD5

    4a1fa83c46273d6a7e5ade13f4c28925

    SHA1

    e935791603f489331e4221774525419f1563b0bc

    SHA256

    8139a906a11f73a6abf6579db8b899ce497cdc85dc4a16a9142768d35d6252c5

    SHA512

    96acfba2e1de4bf3eb17f3b4a9dd569cb4bff2368e0dd6452806e3637f0fb2a2e3b6bb95dd238154ed3b609d18d9aa03a3f860c81449302ba697251a7e9661b5

    Download Submit

  • /data/data/very.longitude.adams/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    318B

    MD5

    87768df02ca6c45c6ce5134ab41c06e5

    SHA1

    5c9427840c0974ee4f61ed80393034fa3e078b15

    SHA256

    4b382a9b3d47927db8663b656a0aefd04f9da08070c9a67bd12d85fd5dd0e877

    SHA512

    1a515aec2801098e8545053df4ee145d7e587c278a34ef9dfce2efb2d5a5f8c10ef93eb9e76d7decda98d6e31b2efd6941581809abdf3528845bdd8a6c536309

    Download Submit

  • /data/user/0/very.longitude.adams/app_mph_dex/classes.dex
    Filesize

    3.3MB

    MD5

    79f7de0aa66d958660fae807f0997972

    SHA1

    25e2ec1bb07545157930cae09f07ba79016f4336

    SHA256

    08fec1fbf47beb7fa205b8a554d1c84077950203902c91357b089d309fdde0b5

    SHA512

    351ac168be9d99ec02e899c8bc20396a1c49e2e6e3b52076e6d7f088a0215347661366d3684ca2752bc23a56129808d8184f358c0985191adaae703f03c3c289

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    296B

    MD5

    8a5acd6a25e5e54d24dbed44f43ce507

    SHA1

    30d8e17066576ec717bb53fdc9b61c251ed39026

    SHA256

    7327cf82232a4dbe4b147bac961a3fa182d322382f6a3b9f1d298c7de4ee0b02

    SHA512

    e719395e7c3fa23ba22425cbf41043711c4c7b2e55c1b78945df79cf4843e7851bda1bb1c8126fae7de98a484042769c71d94f7747c997b4e0374b7412ccb8e7

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    41B

    MD5

    a57a5f3e8c2fa9d3ec23f08be44a344f

    SHA1

    880f2a8037a8ce6ffe0f494b9759b50c4b2f9046

    SHA256

    ddcd054a426a774ef8dd814be3fc337431d2f250b9ab573c63bf0160c24a4e6d

    SHA512

    336761e0dac2fd9fa230e7c2dc0c9a59331ebe2f5c90ba21b11cb6ce242bd3ccf1583f9bc98981eb52a75148b6850dc76a824457d3962851df0eac7821301f65

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    41B

    MD5

    fb646e1d6363a963d10f2ba4c648148f

    SHA1

    2e800bed9d6be067a9ca4f73e602d66dc0ad2482

    SHA256

    1b773985c6c02dac00cb7b271a21f51c135236bb7a5e1ef394e3add8431a81d3

    SHA512

    93544c90a27bd04b1fe2bcb6d554923b73752bb0756628cfbdbc6572717ad5cc283c8a266a26067d33d0a51f3efaeecadb3357cbf692f580870615f377a3b1a8

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit