spynote | 34f9d74a7696be56b453e0af51eaca2188ec938d9e9b7eac94b5457bf4a3ea9a

Analysis

max time kernel
1799s
max time network
1805s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
17-11-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BaniizKedra (2).apk
Size

5.4MB
MD5

6a127ad272931ce3e1030ed1269087ac
SHA1

69c36bb20d07217fc90ad0881296be236ce85d2a
SHA256

34f9d74a7696be56b453e0af51eaca2188ec938d9e9b7eac94b5457bf4a3ea9a
SHA512

d6b2f5e60040522abc4805431fa5634c13dddd86efd76ec342055c2dc819c422b74424624820c285bf462b814ca557c1a0f1a8398d8711f6005edb69aec331a9
SSDEEP

98304:fKIKBRU4rZpxd2pOrO2jVuk1M24M4dlMr4ZNHDHUoWRfB:4xl3SOrOlk1L4lM0ZNHDH8B

Score

10^/10

spynote banker collection credential_access evasion execution infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

spynote

5.42.92.219:7771

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 2 IoCs

resource	yara_rule
behavioral8/files/fstream-1.dat	family_spynote
behavioral8/memory/4214-1.dex	family_spynote

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4214	discharge.postcard.laughing

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml	4214	discharge.postcard.laughing
/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml	4277	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/discharge.postcard.laughing/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml	4214	discharge.postcard.laughing

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	discharge.postcard.laughing
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	discharge.postcard.laughing
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	discharge.postcard.laughing

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	discharge.postcard.laughing

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	discharge.postcard.laughing

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	discharge.postcard.laughing

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	discharge.postcard.laughing

discharge.postcard.laughing
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4214
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/discharge.postcard.laughing/app_mph_dex/oat/x86/apk.manager-v1.rizal.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4277

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml

Filesize
7.1MB

MD5
0d3537e7d3e8f67095961747753fed34

SHA1
2abadf6ce7da1c6a30d20cf7201a355b0a677cc6

SHA256
afce0f84f7a803bd6ea10e0f9758d5fa31258211f1a3d4c67657603ef65dd40c

SHA512
640ddfeba4a2e9ae06ff2516cd5a906c4cb8dc7bda85d3e490f21ba06100fe65e2d0e2c524d413cb936062fa1188ea7de6d6e5422016d1997dade88fa227f48b

Download Submit
/data/user/0/discharge.postcard.laughing/app_mph_dex/apk.manager-v1.rizal.xml

Filesize
7.1MB

MD5
b48b31784323753a3e1f7d1377422a6b

SHA1
b40b37de7f84c059ada54a660bf69acc9590d651

SHA256
778ad4530ca873da2c5a75a1e4b1928b34675a4b2be48bd95388e5d9b062d758

SHA512
fc954c09746da502921b4e9535476f2fd0633ab3170da25b9ad8b7e59b2624137ba54133e0170df2da10d9114a4c42e46028eb79a1e56d45e5b03939985a23d3

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-17.txt

Filesize
280B

MD5
bd0b5205512635a179ae0379719c4058

SHA1
d0e8765c62bc380db5440c96c0095cdfa8f04f8c

SHA256
afdf1f2a6acdf1fed3c215b7b8ed9d0fa7edebf0aafc4f2e4150baf95e7178f2

SHA512
fe7915817ae0d18baedb04762e96d538354874936c72812edf9ed8cfcc36b8e1d77a6658dc98a1ad69f936b75f758f2fcce91320a01859ce78a18aab7954a979

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-17.txt

Filesize
61B

MD5
ada9d3708037b4fdf3b6126f46fc4c87

SHA1
f940b3ba053479049f18aa9276a39515af9bbeca

SHA256
98b4b5736310ee3c951ebbbf2986516bc0ba923d575f5c657981ef2c26ff772c

SHA512
0350786f37af4b0abd59be2deeab1679031e800677eaa2691336bfbd50e05c5000ff3573e82fad28ba924a8bdc18402cf27363ec23a0630c061ee7ad52c1810a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-17.txt

Filesize
41B

MD5
9b34035f49b41c6570eabd93938f6d9a

SHA1
431432361dd3deaa06eb8a7031da2b489fbf8f0e

SHA256
3eac71cedb99b42276a8c5efbe5f522b2db2f737c24cdafd0b8e233b66cd42cf

SHA512
3a73d0aad4d7c07ebe8101042c66827664a39a24eb449c94d7564c12911f0bfd361c374abb20366f458b83969898509726df4c3c9be95f3914b48799957b6d1a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-17.txt

Filesize
29B

MD5
beeee0c05632c572484e90ff57994a29

SHA1
1ca5c1dc3b318b56162aa2eb49d43dd4cf2ae841

SHA256
a0962c700a11a232386ceac135e0343d6aca311ff0cceb75556e0c45fb8fc527

SHA512
caed1d80812a0eb2ec34e117d0424eabb4d2128fa58d5c77dda5fc25458a47cf43719d98a36d1f5007b22bc546a76f1531de4006d0e49807d697b43d0e4fefdc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads