Overview

overview

10

Static

static

6

8d1ac67589...5a.apk

android-9-x86

10

8d1ac67589...5a.apk

android-11-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    156s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    22-11-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a.apk

  • Size

    1.8MB

  • MD5

    5d5d8e3aabc4ceee5e7f04607966d517

  • SHA1

    ee6d5da34b9a6ac883001bf0773a9c8aba5fce44

  • SHA256

    8d1ac67589e235b1e0638b1fe1a60c0b5ef7f9ebc7739427816cc5e6613fc75a

  • SHA512

    6e9e8a2443b6cfdde5b362d232dc141ba1ccf581d98cc202f1ba7c8f504756d0a87f7919d48816999a5865f8f6987f21844d70c7f372d20774b7e2c4f4cdeb3f

  • SSDEEP

    24576:QNXeM9P6YJgCvFQWXQTD9vLggiVNGLNKB+AHAVEljfEqhKj7r6jxxjwUV2PmhRXd:OeyRJ99XQFlcGLNKHLNhKHPGRoP3MaEL

Score
10/10
spynotebankercollectioncredential_accessevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

rdp11013-33722.portmap.host:33722

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 12 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • joinso2.merchant.unity
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4771

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/joinso2.merchant.unity/files/arm/classes.dex
    Filesize

    1.1MB

    MD5

    a1ce1dbea0d6be62dfb1f0657218e87c

    SHA1

    ec41a3901dbfe0313500e53d4c640db37f3f4c8f

    SHA256

    342248a0c36470d61c3ce8d4ac95bc3c89fefd1bf0c1f043e36e9c4a95790e13

    SHA512

    bc500a01e3ad1bc7e468841fff23fcd290213262274f4e33891b23d1c8ea553d93717af89f41b002d2ddb42aca2d34e4fbdc8ddac8b9289a0bbaec61c98c9f3a

    Download Submit

  • /data/user/0/joinso2.merchant.unity/files/arm/classes2.dex
    Filesize

    505KB

    MD5

    9a52d39013f23b6c6d183de4d0fc4585

    SHA1

    b2d5a1f480dac62f201d67e4ca5a647a2e1d2a93

    SHA256

    1a9f781a91146201140088ae31b721faf0dbde64699152c8f9925fd6d8a5aeea

    SHA512

    112413c1dfd2fde022639dfebf71953e550da982a74a26a682c325c12eca135a2111f7abdd2e967156f4d07eb508f6998caa50427ec6ac04f5d1c202eb9d5591

    Download Submit

  • /data/user/0/joinso2.merchant.unity/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫
    Filesize

    678KB

    MD5

    97ab78000183a9c12eb0991aa4f3207c

    SHA1

    20d11bbe03c9465785351c6c6a3b8d664fdfd0e9

    SHA256

    f8356340d8f9bb2c964976bb791db561eba2f5c32513c818ef2b66ab7fcc6b14

    SHA512

    1411deca5d4b87faf62a8ee45eb9f7353da804a833450a706f72245640993401e0e4eb57162b2495e2c368eb37d48723c3256f34889e47952d0e465ad143ada9

    Download Submit

  • /data/user/0/joinso2.merchant.unity/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.
    Filesize

    8B

    MD5

    18969c6e746a73b6b4741723dbf8a5ad

    SHA1

    3d12ae08e54f37680b376adc201d78ad03ddd74f

    SHA256

    778dcb2c40b5f91aade4f367bf012f9ce6bed2fcfbf78ed8a232ff93b49c2032

    SHA512

    35a676f76d7126b3291d91da916892b7340722881cfa6dc245b6c814046820c6f2ea70fd9068125de4e55a6831f5590bceca799054c912c5569583daf0c0d0af

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    24B

    MD5

    f548d5d679221434c32628a7b73b2428

    SHA1

    fa48d8b02c6eb88a5e7b0ad93534fe669fd080d3

    SHA256

    591c293f6c9bcad39e21cc6c7680cb144d46025b67fe4da5a10a233dc4e635da

    SHA512

    f11f37807d536613797293bb6e876bd4a6158c6eb7a19332f1c24baaadcbb34c9971587256df543978a92c53fe8806a2b164be593d894d70acbed27d374d5cc7

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    279B

    MD5

    c37da132c0cf334b280d61e67b2ac40c

    SHA1

    1072c5ca50663a336eb748cddbcc8fb32031a28b

    SHA256

    4479774abd058e114ca0af00a6e7da410cb65ab2ed77556eaef9cd71800ddb94

    SHA512

    9c3375263c9e5bd524aa128604c73f6f2865e0116b1473e5b48c315af003f4f1fc7388bfe7fb2b826356e504f1713897e3696a591cb55535100978a9a6e0c7a3

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-22.txt
    Filesize

    12B

    MD5

    a9256f55737b655c8cff95418411997c

    SHA1

    d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24

    SHA256

    bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412

    SHA512

    10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

    Download Submit