Overview

overview

10

Static

static

6

Ip TV Kurulum.apk

android-9-x86

10

Ip TV Kurulum.apk

android-10-x64

10

Ip TV Kurulum.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    31-10-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ip TV Kurulum.apk

  • Size

    8.1MB

  • MD5

    6253c5a3deddfec7747f4f6721eb0e28

  • SHA1

    5d64ed1b0437b4ed34d58a2dcc741070fa5a98f2

  • SHA256

    47bbda0dd6dec1a07a518519867399c0dfa8696590a15fb7b1351a1578b85588

  • SHA512

    4869558cb0bf56458388d320968a0621ee4460a65eb8838990782389b2cd693d0fffde0a200085afe8259216c140c739a4f1434cd5d89fd3481401b47ec6fcdb

  • SSDEEP

    196608:DHQ2zW65PyVG9dWvZa4hwH4Fz35UNiy2/hhvLadoa:DT15Py89UZa4hVi2Zxa

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.216:7771

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.mumwsmhbo.eiwssbryt
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4241
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.mumwsmhbo.eiwssbryt/app_app_dex/vruljpe.mvf --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.mumwsmhbo.eiwssbryt/app_app_dex/oat/x86/vruljpe.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4275
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.mumwsmhbo.eiwssbryt/app_app_dex/wwjhorh.mvf --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.mumwsmhbo.eiwssbryt/app_app_dex/oat/x86/wwjhorh.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4323

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mumwsmhbo.eiwssbryt/app_app_dex/vruljpe.mvf
    Filesize

    3.2MB

    MD5

    1e3ddb4f92749c94b2c28ddf78b41602

    SHA1

    fe6d33cf101a5a8c3d70921b0ab02d10c3b3ec19

    SHA256

    fbe43f610aa5bb662b6e3aa1751478bfcefece484435f3ff5eae974f28ef0330

    SHA512

    d6f7f8c363367f1a9244b958639786e7192ace1a144ca66ce6c8e28d1bc5945ec569b598725b5bd98890452a879da0ce33e44b658e76e2d4bc28d2849456813b

    Download Submit

  • /data/data/com.mumwsmhbo.eiwssbryt/app_app_dex/wwjhorh.mvf
    Filesize

    3.8MB

    MD5

    ee8fd7315a816c618dcbc3df0b8d5ba3

    SHA1

    0af1c08562c9415dbfd52f683835a223fa4d290d

    SHA256

    1b7774be7445883b441db78e4190365fa01ee6ccf67ace0904c7105650cae9bd

    SHA512

    ac2d15566368b69311c77ebd56ffa32365553f9e892f297ae080321423e00319c3f44b27a43164b84aad62a04da6a5dcc2187ad2a5e1c3458e6878d2059de40d

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt
    Filesize

    41B

    MD5

    3c79c5775d0e5ba84393615e52d53e65

    SHA1

    274f8485eb4db0243871b9303be97f312c94068e

    SHA256

    68d87acd090cca171adb6293c32115526c2235a77c9baa734e1d4dcac0c24319

    SHA512

    40a80f7ddfc2d17ba97140ba21e3ae8559652e2b28d9ce5a3f7c3a608f66672c533411131ed453de4cfac825a52169e8e5cfa1976068ebc90a7f187d78a96111

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt
    Filesize

    69B

    MD5

    bb8e8091bf71a9e4c2d4ba79318b4c33

    SHA1

    ab2e0dda25a7925099131956f58d951d55efad99

    SHA256

    f47eb906d4d56022251cbcac00af9c0f882a3552280eb5bb3da19ff548752156

    SHA512

    ba91651a5fd682e1ebfbad060c1ed9ff89b2c9cd66cb7928977779cd6360e20b3abcc57c52c4618d1757627c0d496a7f4dd6e8a02b7e30e658083bd46811a29a

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt
    Filesize

    41B

    MD5

    027c87b04dd7416ec202148cf32a38b4

    SHA1

    c8932d78520a3314e3bf91cb8fdd7af5fc486fcc

    SHA256

    9260321cfbed6a11dbbf07dae7f60cf66bfff1439f1063c990f414b2e98c81ae

    SHA512

    23394142eacc45c9269de7308a2f711d5f42828c26ed5dc82b7c047299d35ea7754a48a7bf69059343d3a9f4cbf0409c20ab931bb5670af596961e5bff778818

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt
    Filesize

    296B

    MD5

    427ce5bef4457fbb440c50a31f854585

    SHA1

    46b21ab6c0015a76f02fbcc858964cd555e159a7

    SHA256

    65c081a05b20eaed65b5c7ff49ba0f613e300a336a62de8c5888e84c0e62b227

    SHA512

    ce58216287bf79087afa4bad00f9bc2f9f1f186890494d01d5814915e04333d223345c8e4313d887c65581a0d888c933d3a6fe6cc0a7e290d4bbe989ae1da265

    Download Submit