Overview

overview

10

Static

static

6

28c6aba9cd...32.apk

android-9-x86

10

28c6aba9cd...32.apk

android-10-x64

10

28c6aba9cd...32.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    01/10/2024, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28c6aba9cd546e4d049e1da7f592706dd969cd492252a9155fb728747eb8ad32.apk

  • Size

    2.9MB

  • MD5

    b74f8fa7b3e078201eefd0caec46728e

  • SHA1

    e9b17b0168f135e5060c32ff4c3b0a5e8d9549f7

  • SHA256

    28c6aba9cd546e4d049e1da7f592706dd969cd492252a9155fb728747eb8ad32

  • SHA512

    8dec1bed11a505ff829c8634b1d28d722ca8f3c678c7194794e52cf1970e93e36280f7b1f6bd95ad6162a232ae5a8927af069af8f819c99c56f8ec7551f4e4de

  • SSDEEP

    49152:H6cLz9gEv5b4cRjpX8hSYk8d7oaO/zuYLpTBy4tj0CHSfquzGO3ZuZi4/nzB94qg:HxTv5b4cRjpX8T9NoX3Lp9y4+nyu8ZiN

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

217.114.43.238:15888

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • very.longitude.adams
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4495

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/very.longitude.adams/app_mph_dex/classes.dex
    Filesize

    3.3MB

    MD5

    4a1fa83c46273d6a7e5ade13f4c28925

    SHA1

    e935791603f489331e4221774525419f1563b0bc

    SHA256

    8139a906a11f73a6abf6579db8b899ce497cdc85dc4a16a9142768d35d6252c5

    SHA512

    96acfba2e1de4bf3eb17f3b4a9dd569cb4bff2368e0dd6452806e3637f0fb2a2e3b6bb95dd238154ed3b609d18d9aa03a3f860c81449302ba697251a7e9661b5

    Download Submit

  • /data/user/0/very.longitude.adams/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    585B

    MD5

    f4f07cc887215945d9f2a1c1bcc5320d

    SHA1

    ea7b82fa6d63ed874e67a0d091041d5de949c8ee

    SHA256

    2a8a2124f2f397bba7a869f7db32ea768f0ac4947585daa8c9ce331ac6b3a0de

    SHA512

    a4db54cb98d482d796880d2fd7facddcbdd15ecf27190b2a71023f15c717f4a71cfd5f0100573c5394a07b180ed8bb59d8133ab4f020ebc86fc42ba9ab543103

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    41B

    MD5

    a57a5f3e8c2fa9d3ec23f08be44a344f

    SHA1

    880f2a8037a8ce6ffe0f494b9759b50c4b2f9046

    SHA256

    ddcd054a426a774ef8dd814be3fc337431d2f250b9ab573c63bf0160c24a4e6d

    SHA512

    336761e0dac2fd9fa230e7c2dc0c9a59331ebe2f5c90ba21b11cb6ce242bd3ccf1583f9bc98981eb52a75148b6850dc76a824457d3962851df0eac7821301f65

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    41B

    MD5

    fb646e1d6363a963d10f2ba4c648148f

    SHA1

    2e800bed9d6be067a9ca4f73e602d66dc0ad2482

    SHA256

    1b773985c6c02dac00cb7b271a21f51c135236bb7a5e1ef394e3add8431a81d3

    SHA512

    93544c90a27bd04b1fe2bcb6d554923b73752bb0756628cfbdbc6572717ad5cc283c8a266a26067d33d0a51f3efaeecadb3357cbf692f580870615f377a3b1a8

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-01.txt
    Filesize

    296B

    MD5

    d10de1dfb7f3497f28605a935f838e86

    SHA1

    cef4ca16e2265e7cb5244594814146d62502b92b

    SHA256

    7633a8d8547cb977437fa4742a965cb7b8b2457c142e3252d85e258d448b9b98

    SHA512

    a98f617d21c976a307b83cc6fbb423b820631cd4aa08d3bf3ff471fa86d75217a28d527577896f164148f4ef6b149f30f1c41c8a7a4956a3aaad75d6fdcd36b3

    Download Submit