Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
21-11-2024 14:16
General
-
Target
02a9c69abd2b84f237567840cf932015.apk
-
Size
4.4MB
-
MD5
02a9c69abd2b84f237567840cf932015
-
SHA1
02451c70253c3b373aa2261d6824607dbc57292e
-
SHA256
8d2c41d04ad5943af582978fa56ae89bac45e89f4360eec82ca576ce15a8a966
-
SHA512
82795610867f3b308377979b2e15fe7bb0002d04a574c863be5b66b8b59e07ab9efd37d3402d1bd8efbeeced42dabbfd2fbc95e863233b791d0a5955d7ee4303
-
SSDEEP
98304:VIrEl4bxLLfhLIIx9GCAPovTD8DQnOEh0JhFfofNLY6aZvYSHc:arEgx350EiPRDIBfIYSHc
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Spynote payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.Turtle.Jewel1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD58b5bfe771e4df1497134d657ecd0df1e
SHA1872096bbd45fb94305ea850bf7c71c818d87424b
SHA256f52640e89083cf9237bf146b365c7270bae788178c9d8e1bd59e544e36fcf44c
SHA5129b5e6658da6dc40a417fbe9ac33ed051fa25e8dc9e90b03aba7703923dc37b9f356773747c755dee84d5b36a88c27a084bc88e7daeea4d6a9930594f21e85474
-
Filesize
13B
MD5de2c41a51ee9246eb1708f65b511add0
SHA12f442d634c8a18760a232c8829d4b5d74a52f074
SHA256ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA5127cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a
-
Filesize
25B
MD5835bacc70a60566ad2a535a3fa797547
SHA13cd9fb653ede2e2a3af1f4757e81bd59311d1e99
SHA2561e81346ba3b559e817727155a232eec28a7bf298ee0bf38b4151991870d038bc
SHA512fca254d8f1e3ecc03e2e95c43e503f5e40cf207d677d42bdfb1d5e0924dcd05df19c28ea09ed535b4462aad3155544364fb6eaed706195f3cdef0eb4b12b85a9
-
Filesize
25B
MD5bdb821a955117250611e94cd23842584
SHA181edcea1b44f94cfc140710c8410d0696b760c67
SHA256076eb89055ff3d929eb732e1002a0105652e628682a741151388ce1df3b6ec9d
SHA512e52ffed4ee84acc414c530c239c8876d9e99c1f2b2c7626c0ed7fbe0c59b9cb8f8a5e9e983541bea3dfdb849dd3b9593df054c2482ed8bcda7c70ebd960ca268