Analysis
-
max time kernel
8s -
max time network
588s -
platform
android_x64 -
resource
android-x64-arm64-20240624-es -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-eslocale:es-esos:android-11-x64system -
submitted
03-12-2024 12:55
Behavioral task
behavioral1
Sample
96c00e172d4052285950f64a329efb32365fc3e93b5535a84ddfcc715aff5618.apk
Resource
android-x64-arm64-20240624-es
Behavioral task
behavioral2
Sample
96c00e172d4052285950f64a329efb32365fc3e93b5535a84ddfcc715aff5618.apk
Resource
android-33-x64-arm64-20240624-es
General
-
Target
96c00e172d4052285950f64a329efb32365fc3e93b5535a84ddfcc715aff5618.apk
-
Size
5.3MB
-
MD5
39bdbdf74aa19384e2188763162096b0
-
SHA1
baffba739efa0f36b820445a20dfaccc9e3ac4f9
-
SHA256
96c00e172d4052285950f64a329efb32365fc3e93b5535a84ddfcc715aff5618
-
SHA512
9170a7f2aa4b57e1d0795c7e8caacb34e03fb08817c6f8e0ca547f2dc93991ccc94bb07f68c28bf63a33d10ae9bbc50776fece66b646edf1ce3538254f99c49c
-
SSDEEP
98304:/LI2MRcJI0G58SuyXdYaTHf/Yuezen31F2GcXKfZOyXCf8PdvQ:/LqRw/G2stHTHf/ezqz2GcXHyXWAQ
Malware Config
Extracted
spynote
1.tcp.ngrok.io:26423
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Spynote payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_spynote -
Declares broadcast receivers with permission to handle system events 1 IoCs
description ioc Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN -
Declares services with permission to bind to the system 3 IoCs
description ioc Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD -
Requests dangerous framework permissions 15 IoCs
description ioc Allows an application to send SMS messages. android.permission.SEND_SMS Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to read the user's call log. android.permission.READ_CALL_LOG Allows an application to read the user's contacts data. android.permission.READ_CONTACTS Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS Required to be able to access the camera device. android.permission.CAMERA Allows an application to record audio. android.permission.RECORD_AUDIO Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5a0d8a46bf254f3ab5475df954e051c4a
SHA1e462168dad636e41a672c8796b1bc2dae7ed3ef0
SHA256a4e6b5da2e3ff0aeba40b078e64e3062915cbbd243830078b1af5c419f9df3b9
SHA512eff19dd00daaeb28cc94c023fcba6edf5691be6a6485efc9b113bf89918eb4d117bea9277eaaa5f61dadb3bf25bd58fe13be121e30967ac3b9c93300feed1d69