Malware Analysis Report

2025-01-23 12:30

Sample ID 241103-1xr2qawelq
Target 41de347b466f9894aa9fd049ac36c8977196d5e95948e7fea800bb6dee4de35d.bin
SHA256 41de347b466f9894aa9fd049ac36c8977196d5e95948e7fea800bb6dee4de35d
Tags
spynote banker collection credential_access evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41de347b466f9894aa9fd049ac36c8977196d5e95948e7fea800bb6dee4de35d

Threat Level: Known bad

The file 41de347b466f9894aa9fd049ac36c8977196d5e95948e7fea800bb6dee4de35d.bin was found to be: Known bad.

Malicious Activity Summary

spynote banker collection credential_access evasion execution impact infostealer persistence rat trojan

Spynote

Spynote family

Spynote payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 22:02

Reported

2024-11-03 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

rotation.exhibits.instance

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex N/A N/A
N/A /data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex N/A N/A
N/A /data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

rotation.exhibits.instance

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/rotation.exhibits.instance/app_ded/oat/x86/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.odex --compiler-filter=quicken --class-loader-context=&

rm -r/data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex

rm -r/data/user/0/rotation.exhibits.instance/app_ded/oat/x86/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.odex

rm -r/data/user/0/rotation.exhibits.instance/app_ded/oat/x86/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.vdex

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp

Files

/data/data/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex

MD5 3855537a20c4f26b165a49e44e3f8ff5
SHA1 950af12cccfc4b1b9ba56dd9c5a993a83bc60153
SHA256 10a2a04b3c17723276bd1da0f7b2e10f2b013ecd5a0a10d8e22894d2e27dbc3f
SHA512 d3d26b90a4e54032b9576c90182974c804fe8e76f49c4263f451b3dd3ba4dc22845cde0c89419266b860d105d9910492e9036b35cd91f2bd68f30d3d3eb37c48

/data/user/0/rotation.exhibits.instance/app_ded/BilBkDeCLbzmV4vtDh5ZN9Ff8J3m4dz8.dex

MD5 97fc410be18ff42f763caf8db4782a82
SHA1 091ad3e7119f1cf3993c564686c0e5a2baab0451
SHA256 d6ee8be1a95ca432104a23f7474d8c20f99f11da5bb1817939cb4cafd1816e1b
SHA512 ef37231441e06e354ea435e53de60e14bb2f0e12cd6193b78fb3f898892c1ada40804e82b169d1463894ebac5fe44bb7978d68f95c3cd55a5d6c3c0e1a5f589e

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 ef230849ba0e15e9e1cdcb10e7660e6e
SHA1 8cfefbe9917850d8b491c220f973a897208a68ca
SHA256 8bfef9c2760abf2a551ed85b9c7beac288d8fa41d9e98fd5b2552cce2adca56f
SHA512 434b407e49edc20c6a83cf9cdbebf1f303a6fb77058d19dca15763cb9fb137b48ce5f01bec6d588b0065cd30d32b2fc4a6e12838455364c264a4ac3065d6d3f2

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 5d0672d018a5f0d0788bb7c325cb6d4a
SHA1 e5d7bbac1354c2ccdacd4e03f4157f9e4feb1c69
SHA256 61a04993a7211c2e0f99d1cccfd0ee999903abfb8bdcfebc5e13cbc30dc59367
SHA512 1cacb83687f44b221c508090388768b1b5fc053861087a0e38d0c287b146c7e454e150c198d1c7c896f9139a1672db74ae394a3f70de3e9139c1177133615a43

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 22:02

Reported

2024-11-03 22:06

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

rotation.exhibits.instance

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rotation.exhibits.instance/app_ded/mX28EG1vjaoGnSLFr9CP0P59LLxEA3mb.dex N/A N/A
N/A /data/user/0/rotation.exhibits.instance/app_ded/mX28EG1vjaoGnSLFr9CP0P59LLxEA3mb.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

rotation.exhibits.instance

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp

Files

/data/data/rotation.exhibits.instance/app_ded/mX28EG1vjaoGnSLFr9CP0P59LLxEA3mb.dex

MD5 3855537a20c4f26b165a49e44e3f8ff5
SHA1 950af12cccfc4b1b9ba56dd9c5a993a83bc60153
SHA256 10a2a04b3c17723276bd1da0f7b2e10f2b013ecd5a0a10d8e22894d2e27dbc3f
SHA512 d3d26b90a4e54032b9576c90182974c804fe8e76f49c4263f451b3dd3ba4dc22845cde0c89419266b860d105d9910492e9036b35cd91f2bd68f30d3d3eb37c48

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 384f122c37ac75b917bf327f7a574a85
SHA1 483c61806f06461795fcd21cfe7f913b8d2978c1
SHA256 a077ec68d0642a02bfcd372da2cbe0d364f54c5357efa245562efe6a9c72e6b6
SHA512 69c0c473aa48b5b1c7016f0ab585a00f7b004dd5ee24fab8415a24be1a6bad3693be27c58ff56d20798385fc127a5b4bfcc6fdfb61f34b9e79708e4ca27235fd

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 872bb4473923c730128139ccc7397bd4
SHA1 e7764f1818f3a41871fff03fb0f02df1ff35cac2
SHA256 e5ade712117ffe21ae499fd0404fd0164553ffc34aaabbffb32eb998e3b7826b
SHA512 04af5d7e81cc539752555158ae38e7f2931b22c67abd2107b7da939adcefba970dca7bc77c181d0619ebec7c073f87f1d58d8880cbe85af8a3ed139b18638015

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 22:02

Reported

2024-11-03 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

155s

Command Line

rotation.exhibits.instance

Signatures

Spynote

banker trojan infostealer rat spynote

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rotation.exhibits.instance/app_ded/O027CbV4vVD8zuVLz0S4gT6UfzwHl5cV.dex N/A N/A
N/A /data/user/0/rotation.exhibits.instance/app_ded/O027CbV4vVD8zuVLz0S4gT6UfzwHl5cV.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

rotation.exhibits.instance

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp
RU 185.225.202.136:7771 tcp

Files

/data/user/0/rotation.exhibits.instance/app_ded/O027CbV4vVD8zuVLz0S4gT6UfzwHl5cV.dex

MD5 3855537a20c4f26b165a49e44e3f8ff5
SHA1 950af12cccfc4b1b9ba56dd9c5a993a83bc60153
SHA256 10a2a04b3c17723276bd1da0f7b2e10f2b013ecd5a0a10d8e22894d2e27dbc3f
SHA512 d3d26b90a4e54032b9576c90182974c804fe8e76f49c4263f451b3dd3ba4dc22845cde0c89419266b860d105d9910492e9036b35cd91f2bd68f30d3d3eb37c48

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 5d0672d018a5f0d0788bb7c325cb6d4a
SHA1 e5d7bbac1354c2ccdacd4e03f4157f9e4feb1c69
SHA256 61a04993a7211c2e0f99d1cccfd0ee999903abfb8bdcfebc5e13cbc30dc59367
SHA512 1cacb83687f44b221c508090388768b1b5fc053861087a0e38d0c287b146c7e454e150c198d1c7c896f9139a1672db74ae394a3f70de3e9139c1177133615a43

/storage/emulated/0/Config/sys/apps/log/log-2024-11-03.txt

MD5 bdb821a955117250611e94cd23842584
SHA1 81edcea1b44f94cfc140710c8410d0696b760c67
SHA256 076eb89055ff3d929eb732e1002a0105652e628682a741151388ce1df3b6ec9d
SHA512 e52ffed4ee84acc414c530c239c8876d9e99c1f2b2c7626c0ed7fbe0c59b9cb8f8a5e9e983541bea3dfdb849dd3b9593df054c2482ed8bcda7c70ebd960ca268