Overview

overview

10

Static

static

6

8d1ac67589...5a.apk

android-9-x86

10

8d1ac67589...5a.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    22-11-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a.apk

  • Size

    1.8MB

  • MD5

    5d5d8e3aabc4ceee5e7f04607966d517

  • SHA1

    ee6d5da34b9a6ac883001bf0773a9c8aba5fce44

  • SHA256

    8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a

  • SHA512

    6e9e8a2443b6cfdde5b362d232dc141ba1ccf581d98cc202f1ba7c8f504756d0a87f7919d48816999a5865f8f6987f21844d70c7f372d20774b7e2c4f4cdeb3f

  • SSDEEP

    24576:QNXeM9P6YJgCvFQWXQTD9vLggiVNGLNKB+AHAVEljfEqhKj7r6jxxjwUV2PmhRXd:OeyRJ99XQFlcGLNKHLNhKHPGRoP3MaEL

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

rdp11013-33722.portmap.host:33722

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 14 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • joinso2.merchant.unity
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4219
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4277
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/joinso2.merchant.unity/files/arm/classes2.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/joinso2.merchant.unity/files/arm/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4301

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/joinso2.merchant.unity/files/arm/classes.dex
    Filesize

    1.1MB

    MD5

    a1ce1dbea0d6be62dfb1f0657218e87c

    SHA1

    ec41a3901dbfe0313500e53d4c640db37f3f4c8f

    SHA256

    342248a0c36470d61c3ce8d4ac95bc3c89fefd1bf0c1f043e36e9c4a95790e13

    SHA512

    bc500a01e3ad1bc7e468841fff23fcd290213262274f4e33891b23d1c8ea553d93717af89f41b002d2ddb42aca2d34e4fbdc8ddac8b9289a0bbaec61c98c9f3a

    Download Submit

  • /data/data/joinso2.merchant.unity/files/arm/classes2.dex
    Filesize

    505KB

    MD5

    9a52d39013f23b6c6d183de4d0fc4585

    SHA1

    b2d5a1f480dac62f201d67e4ca5a647a2e1d2a93

    SHA256

    1a9f781a91146201140088ae31b721faf0dbde64699152c8f9925fd6d8a5aeea

    SHA512

    112413c1dfd2fde022639dfebf71953e550da982a74a26a682c325c12eca135a2111f7abdd2e967156f4d07eb508f6998caa50427ec6ac04f5d1c202eb9d5591

    Download Submit

  • /data/data/joinso2.merchant.unity/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫
    Filesize

    678KB

    MD5

    97ab78000183a9c12eb0991aa4f3207c

    SHA1

    20d11bbe03c9465785351c6c6a3b8d664fdfd0e9

    SHA256

    f8356340d8f9bb2c964976bb791db561eba2f5c32513c818ef2b66ab7fcc6b14

    SHA512

    1411deca5d4b87faf62a8ee45eb9f7353da804a833450a706f72245640993401e0e4eb57162b2495e2c368eb37d48723c3256f34889e47952d0e465ad143ada9

    Download Submit

  • /data/data/joinso2.merchant.unity/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.
    Filesize

    8B

    MD5

    18969c6e746a73b6b4741723dbf8a5ad

    SHA1

    3d12ae08e54f37680b376adc201d78ad03ddd74f

    SHA256

    778dcb2c40b5f91aade4f367bf012f9ce6bed2fcfbf78ed8a232ff93b49c2032

    SHA512

    35a676f76d7126b3291d91da916892b7340722881cfa6dc245b6c814046820c6f2ea70fd9068125de4e55a6831f5590bceca799054c912c5569583daf0c0d0af

    Download Submit

  • /data/user/0/joinso2.merchant.unity/files/arm/classes.dex
    Filesize

    1.1MB

    MD5

    4dab78c3f46f6e660e04c34732bb3a39

    SHA1

    a7b62798ffda03bcd85b6b84237dc2128539695a

    SHA256

    dd7cfc66a3933f254fc5fbe1cea7584f9f9339c42c1132321d3b89d726a58ed0

    SHA512

    185d8babf03e9b4a31ecb047150549fb3834dbf179291b7f5796868c943f5f07c40c072933ec08041cf9974dc0a954f383e3de3818f0da4164409ad92ebe611b

    Download Submit

  • /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex
    Filesize

    505KB

    MD5

    fb7d67d0238586fd3ab63f786214fc55

    SHA1

    1f150bb209ee26a75392b61dec48c1bec290c8dc

    SHA256

    86fdb38d41feb257674107932d2725c1c505150533ace1d18e00aa7d5e266869

    SHA512

    fece6175b4cfbd240abeff3f72b1852c1cb0f414fd0d60ebcb1efe910d050f9ff74e3dc667ba543731d3bdbb35fb9ff5cad2083907d4d34af1ea5b67d21cc27a

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    36B

    MD5

    4e808387ee5b425f5b28c11c6b6b93fe

    SHA1

    95ab1992ec1813b42b91ce476cf2801a39fa3d30

    SHA256

    cfaa2a856282ac66b66f6bb46c7383290327eb77868cbbdf235782321f50d7c7

    SHA512

    0e8a08bdc43a6dd299a0a0fab1b3c14c24bdabf5eca66eeb93c6087ef51e5b769662263348de625d73cc39630ec50302e5eb148d6053c4889f9f285be27d18a9

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    12B

    MD5

    a9256f55737b655c8cff95418411997c

    SHA1

    d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

    SHA256

    bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

    SHA512

    10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    279B

    MD5

    e070a4d3f222721f3ee4f43f0f01dda6

    SHA1

    5683a8e093c9c3f931d2748b8f8d8ae57a71eef1

    SHA256

    8b63fe9ccbeeb3b97d2ceafe766b7954fcd4da2d055b4a221a3908b16970b662

    SHA512

    08873d537b299d821e225c0b6b2b49a1607c46d401cd3aa40f092f8b9aa414ff0ade93807e211f122f6c174906c661159d10fe7880a5a59027497b012bfc6fec

    Download Submit