spynote | d96ee475dd19e74082f86e8441711216[.]bin

General

Target

d96ee475dd19e74082f86e8441711216.bin
Size

2.9MB
MD5

4028e6c2e7182be297ebc52ee790eaca
SHA1

bccca0965af12e65107c26e299e77035b86362ca
SHA256

b960ede018834eb90efc27162c488cf329c49ca62475661907af0edcd8221364
SHA512

abb688abcfb33ccd0f02b1d3ee6acc11d5ef9b5cce2c9a34755715fedcb2163eac7e7f269fbb70087f8a434143f3fe655b9b5ef58043c182587c159022c2f2ed
SSDEEP

49152:ptkFWK0VivjXaqruiUW4TAcp+rPo3V2DLM7QMpY7XiIlLTjOst5AKnJoi0isweqH:ptkwYjX/rui0ZMryEI7QMpYzlL3b5bJh

Score

10^/10

spynote

Malware Config

Extracted

Family

spynote

C2

xavier222-62842.portmap.io:62842

Signatures

Spynote family
spynote
Attempts to obfuscate APK file format
Applies obfuscation techniques to the APK format in order to hinder analysis

Declares broadcast receivers with permission to handle system events 1 IoCs

description	ioc
Required by device admin receivers to bind with the system. Allows apps to manage device administration features.	android.permission.BIND_DEVICE_ADMIN

Declares services with permission to bind to the system 3 IoCs

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE
Required by VPN services to bind with the system. Allows apps to provision VPN services.	android.permission.BIND_VPN_SERVICE
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards).	android.permission.BIND_INPUT_METHOD

Requests dangerous framework permissions 15 IoCs

description	ioc
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to read the user's call log.	android.permission.READ_CALL_LOG
Allows an application to read the user's contacts data.	android.permission.READ_CONTACTS
Allows access to the list of accounts in the Accounts Service.	android.permission.GET_ACCOUNTS
Required to be able to access the camera device.	android.permission.CAMERA
Allows an application to record audio.	android.permission.RECORD_AUDIO
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an app to access precise location.	android.permission.ACCESS_FINE_LOCATION
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.	android.permission.CALL_PHONE
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to request installing packages.	android.permission.REQUEST_INSTALL_PACKAGES

Files

d96ee475dd19e74082f86e8441711216.bin
.zip

Password: infected
3ef9e9ab4b0f5c39d65f43b2227984e6ca423adad60e828f6af2e0eb7ac78284.zip
.apk android

Password: infected

fs.mazda.rentals

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.ynesavewaqujnfyztwvkmybwuflwyxxipcrhuvoiczgzmfqaeh31

Activities

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.ynesavewaqujnfyztwvkmybwuflwyxxipcrhuvoiczgzmfqaeh31

android.intent.action.MAIN

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.vlesdattgrkxguxogpvaunxdjhdievcrvvaobhsqkjnhwqstkd14_CA

fs.mazda.rentals.xyz

Permissions

android.permission.SEND_SMS
android.permission.SET_WALLPAPER
android.permission.READ_SMS
android.permission.READ_CALL_LOG
android.permission.READ_CONTACTS
android.permission.GET_ACCOUNTS
android.permission.CAMERA
android.permission.RECORD_AUDIO
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.CALL_PHONE
android.permission.DISABLE_KEYGUARD
android.permission.FOREGROUND_SERVICE
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
oppo.permission.OPPO_COMPONENT_SAFE
oplus.permission.OPLUS_COMPONENT_SAFE
com.huawei.permission.external_app_settings.USE_COMPONENT
android.permission.INTERNET
android.permission.SYSTEM_ALERT_WINDOW
android.permission.READ_PHONE_STATE
android.permission.WAKE_LOCK
com.android.alarm.permission.SET_ALARM
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.REQUEST_INSTALL_PACKAGES
android.permission.REQUEST_DELETE_PACKAGES
android.permission.USE_FULL_SCREEN_INTENT

Receivers

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.SRcjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx74B

fs.mazda.rentals.RestartSensor

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7

android.intent.action.BOOT_COMPLETED
android.intent.action.ACTION_BOOT_COMPLETED
android.intent.action.QUICKBOOT_POWERON
com.htc.intent.action.QUICKBOOT_POWERON
android.intent.action.REBOOT
android.intent.action.LOCKED_BOOT_COMPLETED
miui.intent.action.BOOT_COMPLETEDT

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.vlesdattgrkxguxogpvaunxdjhdievcrvvaobhsqkjnhwqstkd14_RC

android.intent.action.PACKAGE_INSTALL
android.intent.action.PACKAGE_ADDED
android.intent.action.PACKAGE_REMOVED
android.intent.action.PACKAGE_ADDED
android.intent.action.PACKAGE_CHANGED
android.intent.action.MY_PACKAGE_REPLACED

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx74

android.intent.action.SCREEN_ON
android.intent.action.SCREEN_OFF
android.intent.action.ACTION_POWER_CONNECTED
android.intent.action.ACTION_POWER_DISCONNECTED
android.intent.action.USER_PRESENT

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.datecjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7rec

android.intent.action.DATE_CHANGED

fs.mazda.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7_AR

android.app.action.DEVICE_ADMIN_ENABLED

Services

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx72

android.accessibilityservice.AccessibilityService

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.Vpncjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx71Service

android.net.VpnService

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.Sulhuafdigrxodicrqjlnykcwhkrkpdwhbjahboracuwqmccgll6IME

android.view.InputMethod

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

fs.mazda.rentals

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.ynesavewaqujnfyztwvkmybwuflwyxxipcrhuvoiczgzmfqaeh31

Activities

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.ynesavewaqujnfyztwvkmybwuflwyxxipcrhuvoiczgzmfqaeh31

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.vlesdattgrkxguxogpvaunxdjhdievcrvvaobhsqkjnhwqstkd14_CA

Permissions

Receivers

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.SRcjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx74B

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.vlesdattgrkxguxogpvaunxdjhdievcrvvaobhsqkjnhwqstkd14_RC

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx74

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.stxxzjlhhlyhsvdxbusogjsrnnbqrmhxhfvyynfqdhferfbkfb5.datecjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7rec

fs.mazda.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx7_AR

Services

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.cjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx72

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.Vpncjoulihgawafiesbcgjnmarociudddgmopocjmmxlqixpoikmx71Service

fs.mazda.tzsspzdssoaujdscwsqdlqhlnmayswwheudxzdqgnoyjosjkub2.tzujtvfxtxahqpmfvqplxmwthafkpgpsibhaltximkjivpkbpg3.Sulhuafdigrxodicrqjlnykcwhkrkpdwhbjahboracuwqmccgll6IME