Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
23-11-2024 01:26
General
-
Target
голые фото.apk
-
Size
4.2MB
-
MD5
d3c9ff78acd0d1852fa2431aa735b4bb
-
SHA1
1630b2dbbdc42c6c9bdf18ab8a062c946cd4b762
-
SHA256
d9092bf5bfa631044fd1392fdf988ac5e5dffa2384202d6e7f6e6760fc5dde0b
-
SHA512
419a529305403ea80fafa344db6b48dc02423dcf2c08d1d8b62e699f69e7dc635c8b8770ca4af1277db39e81bc40e0b4cf00aa22b53b4fc9a0d58cb45658e8ca
-
SSDEEP
98304:yKukrQKBHMmuLd2QLuBnGOSyMwBqIGRoorkGT:tQKBHMmuLd2QegRoorh
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Spynote payload 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Acquires the wake lock 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
cet.syndrome.springfield1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cet.syndrome.springfield/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/cet.syndrome.springfield/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD523e84a23dbe7b2cef8604967af63544e
SHA106d9fd8f5e00541bee5ebb54f7c077cb85bd5ce3
SHA256c717af7452d721a9aae9c524123d0dd6b3f868b6cc728b1e8dfeea0e16f67393
SHA5128e1edaa52757a978fad0b70a5f557b3d960dcd2cfbc054e6706a275350aefd1159c9d5845fb12c87f5d5a7697d4c0a84379cad6513a5be80e314a69c7f37d490
-
Filesize
5.1MB
MD54db1a002874dd8927cb8e945565df9eb
SHA1dd6054eea8495e6edb6b9ff0f95c06c9f32c8f19
SHA2568a07447f8d703b936a07fb7011b8ffd2321c01fa9cec6854737c6a064b83c31f
SHA512df54971396c9e216056c79c1cb2406cb36e5446b83e77b2e8736d924f6dd2fa829bffe49e848c077cbf2845d352a4f0745101389a2efa290dbb7e8e5b42eead3
-
Filesize
33B
MD537cb3705cf20c68a8743db76149647b7
SHA1dff55dccaac34ffe2524e859ba6b34b101902b76
SHA25678768ebc63f648e099a82af4e815a4ab5ee24eb7dd691fc01f08f2dee4a5f28f
SHA512704a535123c02fb3f8785fbfd8d3fcfcff11dfbe58925804af221cc772f0460c68d7c040ed8048cd0315868eaedd2bdbbbc08f7c40edc100c410729daed618ad
-
Filesize
57B
MD52e1865de2ab45ba79ac4ad4ceb814756
SHA134a0fdb562c84bcbc51169d1df5a39507c87a805
SHA25636aa689db819e820ae26addcf57c60a382348e7be88e802e29fcb43697d67e1d
SHA512700c70d55cd33842421de8cc1f2aa1d0f99455ea8f7cb5fbfbcd1ca9e42be600b623354e54910048461c7264803b48cb3ce31d67d6bba564bf5b0c240ddbdd7a
-
Filesize
25B
MD518cd27e3004a3fe21cad6e7f4aaa4f64
SHA18f34ed926f40e1b5c4fd6b78d35ffc71158a5861
SHA256fb6db2a259767a0ea1ad8f6dbfc2454a95a48f958d748956146f1184a85d3902
SHA51240c8443ee9c9ea7f94105aff7221a683f6c6ef3a6c9cc01f379d8cfde3d34fa2e6aa85bc1fe8e41f8c4d9bef62c7ccc5472994e2a3f8c8a2a73bc719fb105357
-
Filesize
33B
MD5021f287551cfa5a3000feb5752856a0e
SHA10c6f8daee3ab8649f329eea922561f2c0a48dc2b
SHA25616058ae6ff106cc403b2f355bfe17521cba95d6ac18c08a23347c9fa64aea6fc
SHA512893bc5ed9bd15685467bbb16313ac1b698e29320f7c5edaaa69e6120c5a2e66e22d3a5d64a6f0676eb9c3490537c0f09371db0879678f7e391fddd244a934a54
-
Filesize
25B
MD580be1dd284fc63f6809aedd06a0b15c3
SHA196d3017466e63b79237ebdf3d0887b782be15c3c
SHA2568d9bf0e7c6a17e799750b11aadd067d1ef247babcfe34c00b477a381552f559e
SHA512e4a17a38db8c5d4eacca414847e6433b1c74a1eaa73e68d7fc905e11e5e9c417afbeb72a608a3ce113c36440fe7f5ea0cd891254122f37541476d9bde2fb51b4