spynote | d9092bf5bfa631044fd1392fdf988ac5e5dffa2384202d6e7f6e6760fc5dde0b

Resubmissions

23-11-2024 01:20

241123-bp9jcstqfz 10

23-11-2024 01:15

241123-bl91qatphz 6

Analysis

max time kernel
149s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
23-11-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

голые фото.apk
Size

4.2MB
MD5

d3c9ff78acd0d1852fa2431aa735b4bb
SHA1

1630b2dbbdc42c6c9bdf18ab8a062c946cd4b762
SHA256

d9092bf5bfa631044fd1392fdf988ac5e5dffa2384202d6e7f6e6760fc5dde0b
SHA512

419a529305403ea80fafa344db6b48dc02423dcf2c08d1d8b62e699f69e7dc635c8b8770ca4af1277db39e81bc40e0b4cf00aa22b53b4fc9a0d58cb45658e8ca
SSDEEP

98304:yKukrQKBHMmuLd2QLuBnGOSyMwBqIGRoorkGT:tQKBHMmuLd2QegRoorh

Score

10^/10

spynote banker collection credential_access evasion execution infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_spynote

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/cet.syndrome.springfield/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4445	cet.syndrome.springfield
/data/user/0/cet.syndrome.springfield/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4445	cet.syndrome.springfield

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	cet.syndrome.springfield

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	cet.syndrome.springfield

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	8.tcp.eu.ngrok.io
90	8.tcp.eu.ngrok.io
147	8.tcp.eu.ngrok.io

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	cet.syndrome.springfield

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	cet.syndrome.springfield

cet.syndrome.springfield
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
PID:4445

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/cet.syndrome.springfield/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

Filesize
5.1MB

MD5
23e84a23dbe7b2cef8604967af63544e

SHA1
06d9fd8f5e00541bee5ebb54f7c077cb85bd5ce3

SHA256
c717af7452d721a9aae9c524123d0dd6b3f868b6cc728b1e8dfeea0e16f67393

SHA512
8e1edaa52757a978fad0b70a5f557b3d960dcd2cfbc054e6706a275350aefd1159c9d5845fb12c87f5d5a7697d4c0a84379cad6513a5be80e314a69c7f37d490

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-23.txt

Filesize
33B

MD5
021f287551cfa5a3000feb5752856a0e

SHA1
0c6f8daee3ab8649f329eea922561f2c0a48dc2b

SHA256
16058ae6ff106cc403b2f355bfe17521cba95d6ac18c08a23347c9fa64aea6fc

SHA512
893bc5ed9bd15685467bbb16313ac1b698e29320f7c5edaaa69e6120c5a2e66e22d3a5d64a6f0676eb9c3490537c0f09371db0879678f7e391fddd244a934a54

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-23.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-11-23.txt

Filesize
25B

MD5
80be1dd284fc63f6809aedd06a0b15c3

SHA1
96d3017466e63b79237ebdf3d0887b782be15c3c

SHA256
8d9bf0e7c6a17e799750b11aadd067d1ef247babcfe34c00b477a381552f559e

SHA512
e4a17a38db8c5d4eacca414847e6433b1c74a1eaa73e68d7fc905e11e5e9c417afbeb72a608a3ce113c36440fe7f5ea0cd891254122f37541476d9bde2fb51b4

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads