Analysis
-
max time kernel
149s -
max time network
153s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
22-11-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a.apk
-
Size
1.8MB
-
MD5
5d5d8e3aabc4ceee5e7f04607966d517
-
SHA1
ee6d5da34b9a6ac883001bf0773a9c8aba5fce44
-
SHA256
8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a
-
SHA512
6e9e8a2443b6cfdde5b362d232dc141ba1ccf581d98cc202f1ba7c8f504756d0a87f7919d48816999a5865f8f6987f21844d70c7f372d20774b7e2c4f4cdeb3f
-
SSDEEP
24576:QNXeM9P6YJgCvFQWXQTD9vLggiVNGLNKB+AHAVEljfEqhKj7r6jxxjwUV2PmhRXd:OeyRJ99XQFlcGLNKHLNhKHPGRoP3MaEL
Malware Config
Extracted
spynote
rdp11013-33722.portmap.host:33722
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
pid Process 4219 joinso2.merchant.unity -
Loads dropped Dex/Jar 1 TTPs 14 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4277 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4301 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes2.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex 4219 joinso2.merchant.unity -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId joinso2.merchant.unity Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId joinso2.merchant.unity Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText joinso2.merchant.unity -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock joinso2.merchant.unity -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground joinso2.merchant.unity -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone joinso2.merchant.unity -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS joinso2.merchant.unity -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver joinso2.merchant.unity -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule joinso2.merchant.unity -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal joinso2.merchant.unity -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo joinso2.merchant.unity -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo joinso2.merchant.unity
Processes
-
joinso2.merchant.unity1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4219 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4277
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes2.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4301
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a1ce1dbea0d6be62dfb1f0657218e87c
SHA1ec41a3901dbfe0313500e53d4c640db37f3f4c8f
SHA256342248a0c36470d61c3ce8d4ac95bc3c89fefd1bf0c1f043e36e9c4a95790e13
SHA512bc500a01e3ad1bc7e468841fff23fcd290213262274f4e33891b23d1c8ea553d93717af89f41b002d2ddb42aca2d34e4fbdc8ddac8b9289a0bbaec61c98c9f3a
-
Filesize
505KB
MD59a52d39013f23b6c6d183de4d0fc4585
SHA1b2d5a1f480dac62f201d67e4ca5a647a2e1d2a93
SHA2561a9f781a91146201140088ae31b721faf0dbde64699152c8f9925fd6d8a5aeea
SHA512112413c1dfd2fde022639dfebf71953e550da982a74a26a682c325c12eca135a2111f7abdd2e967156f4d07eb508f6998caa50427ec6ac04f5d1c202eb9d5591
-
Filesize
678KB
MD597ab78000183a9c12eb0991aa4f3207c
SHA120d11bbe03c9465785351c6c6a3b8d664fdfd0e9
SHA256f8356340d8f9bb2c964976bb791db561eba2f5c32513c818ef2b66ab7fcc6b14
SHA5121411deca5d4b87faf62a8ee45eb9f7353da804a833450a706f72245640993401e0e4eb57162b2495e2c368eb37d48723c3256f34889e47952d0e465ad143ada9
-
Filesize
8B
MD518969c6e746a73b6b4741723dbf8a5ad
SHA13d12ae08e54f37680b376adc201d78ad03ddd74f
SHA256778dcb2c40b5f91aade4f367bf012f9ce6bed2fcfbf78ed8a232ff93b49c2032
SHA51235a676f76d7126b3291d91da916892b7340722881cfa6dc245b6c814046820c6f2ea70fd9068125de4e55a6831f5590bceca799054c912c5569583daf0c0d0af
-
Filesize
1.1MB
MD54dab78c3f46f6e660e04c34732bb3a39
SHA1a7b62798ffda03bcd85b6b84237dc2128539695a
SHA256dd7cfc66a3933f254fc5fbe1cea7584f9f9339c42c1132321d3b89d726a58ed0
SHA512185d8babf03e9b4a31ecb047150549fb3834dbf179291b7f5796868c943f5f07c40c072933ec08041cf9974dc0a954f383e3de3818f0da4164409ad92ebe611b
-
Filesize
505KB
MD5fb7d67d0238586fd3ab63f786214fc55
SHA11f150bb209ee26a75392b61dec48c1bec290c8dc
SHA25686fdb38d41feb257674107932d2725c1c505150533ace1d18e00aa7d5e266869
SHA512fece6175b4cfbd240abeff3f72b1852c1cb0f414fd0d60ebcb1efe910d050f9ff74e3dc667ba543731d3bdbb35fb9ff5cad2083907d4d34af1ea5b67d21cc27a
-
Filesize
36B
MD54e808387ee5b425f5b28c11c6b6b93fe
SHA195ab1992ec1813b42b91ce476cf2801a39fa3d30
SHA256cfaa2a856282ac66b66f6bb46c7383290327eb77868cbbdf235782321f50d7c7
SHA5120e8a08bdc43a6dd299a0a0fab1b3c14c24bdabf5eca66eeb93c6087ef51e5b769662263348de625d73cc39630ec50302e5eb148d6053c4889f9f285be27d18a9
-
Filesize
12B
MD5a9256f55737b655c8cff95418411997c
SHA1d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA51210d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574
-
Filesize
279B
MD5e070a4d3f222721f3ee4f43f0f01dda6
SHA15683a8e093c9c3f931d2748b8f8d8ae57a71eef1
SHA2568b63fe9ccbeeb3b97d2ceafe766b7954fcd4da2d055b4a221a3908b16970b662
SHA51208873d537b299d821e225c0b6b2b49a1607c46d401cd3aa40f092f8b9aa414ff0ade93807e211f122f6c174906c661159d10fe7880a5a59027497b012bfc6fec