spynote | 20145891698[.]zip

General

Target

20145891698.zip
Size

5.3MB
MD5

8c5896bf736a69d76f0cf756c79d2233
SHA1

e6507976d3d3512b4203387ed9cb292a7161ec37
SHA256

ea7b0feda556abd530a52fee4efef53ebcc0cb5beec358bf4d8a3ecd3d002036
SHA512

0aa652694c402d8a600db4246b5108f113cbb8703710f86889d7f39320091eaedb9643432bcc8b0d23757cddbc5fc2039d375521b5a081b2e4a7b71c6395a498
SSDEEP

98304:e5ExV4W3FQ7OVCcU6v1vg3fc8/0DmVb7G+IgxZaBcbK6J2dzta6NeZZeQi1ZptW5:aExV4PgCh6v14cwzJyLgxZaB0K6JsZJ0

Score

10^/10

spynote

Malware Config

Extracted

Family

spynote

C2

1.tcp.ngrok.io:26423

Signatures

Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
static1/unpack002/app.apk	family_spynote

Declares broadcast receivers with permission to handle system events 1 IoCs

description	ioc
Required by device admin receivers to bind with the system. Allows apps to manage device administration features.	android.permission.BIND_DEVICE_ADMIN

Declares services with permission to bind to the system 1 IoCs

description	ioc
Required by VPN services to bind with the system. Allows apps to provision VPN services.	android.permission.BIND_VPN_SERVICE

Requests dangerous framework permissions 1 IoCs

description	ioc
Allows an application to request installing packages.	android.permission.REQUEST_INSTALL_PACKAGES

Files

20145891698.zip
.zip

Password: infected
96c00e172d4052285950f64a329efb32365fc3e93b5535a84ddfcc715aff5618
.apk android

Password: infected

com.appd.instll.load

us.leaf3stones.myapkinstaller.MainActivity

Activities

us.leaf3stones.myapkinstaller.MainActivity

android.intent.action.MAIN

Permissions

android.permission.ACCESS_NETWORK_STATE
android.permission.REQUEST_INSTALL_PACKAGES
android.permission.QUERY_ALL_PACKAGES

Receivers

Services
app.apk
.apk android

Password: infected

utc.interests.sq

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Mai_fa8cpw3desfw97agwiab6_y

Activities

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Mai_fa8cpw3desfw97agwiab6_y

android.intent.action.CHOOSER
android.intent.action.MAIN
android.intent.action.VIEW
android.intent.action.SEND
android.intent.action.SEND_MULTIPLE
android.intent.action.PACKAGE_REMOVED
android.intent.action.PACKAGE_REPLACED
android.intent.action.PACKAGE_ADDED
android.intent.action.PACKAGE_CHANGED
com.ui.OnAlarmReceiver.ACTION_WIDGET_RECEIVER
com.android.vending.billing.InAppBillingService.COIN
com.android.vending.billing.InAppBillingService.COIO
com.android.vending.billing.InAppBillingService.LUCM
com.android.vending.billing.InAppBillingService.PROX
ir.cafebazaar.pardakht.InAppBillingService.BIND
ru.aaaaaaax.installer
com.nokia.payment.iapenabler.InAppBillingService.BIND
com.android.vending.billing.InAppBillingService.INST

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Ca_fa8cpw3desfw97agwiab6_ity

utc.interests.sq.xyz

Permissions

android.permission.SEND_SMS
android.permission.SET_WALLPAPER
android.permission.READ_SMS
android.permission.READ_CALL_LOG
android.permission.READ_CONTACTS
android.permission.GET_ACCOUNTS
android.permission.CAMERA
android.permission.RECORD_AUDIO
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.CALL_PHONE
android.permission.FOREGROUND_SERVICE
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.INTERNET
android.permission.SYSTEM_ALERT_WINDOW
android.permission.READ_PHONE_STATE
android.permission.WAKE_LOCK
com.android.alarm.permission.SET_ALARM
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.REQUEST_INSTALL_PACKAGES
android.permission.REQUEST_DELETE_PACKAGES
android.permission.USE_FULL_SCREEN_INTENT

Receivers

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Cus_fa8cpw3desfw97agwiab6_iver

utc.interests.sq.RestartSensor

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Boo_fa8cpw3desfw97agwiab6_er

android.intent.action.BOOT_COMPLETED
android.intent.action.ACTION_BOOT_COMPLETED
android.intent.action.QUICKBOOT_POWERON
com.htc.intent.action.QUICKBOOT_POWERON
android.intent.action.REBOOT
android.intent.action.LOCKED_BOOT_COMPLETED
miui.intent.action.BOOT_COMPLETEDT

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Pac_fa8cpw3desfw97agwiab6_er

android.intent.action.PACKAGE_INSTALL
android.intent.action.PACKAGE_ADDED
android.intent.action.PACKAGE_REMOVED
android.intent.action.PACKAGE_ADDED
android.intent.action.PACKAGE_CHANGED
android.intent.action.MY_PACKAGE_REPLACED

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Scr_fa8cpw3desfw97agwiab6_verz

android.intent.action.SCREEN_ON
android.intent.action.SCREEN_OFF
android.intent.action.ACTION_POWER_CONNECTED
android.intent.action.ACTION_POWER_DISCONNECTED
android.intent.action.USER_PRESENT

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Da_fa8cpw3desfw97agwiab6_er

android.intent.action.DATE_CHANGED

utc.interests.rte_fa8cpw3desfw97agwiab6_wwef

android.app.action.DEVICE_ADMIN_ENABLED

Services

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Access_fa8cpw3desfw97agwiab6_Service

android.accessibilityservice.AccessibilityService

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Fe_fa8cpw3desfw97agwiab6_es

android.net.VpnService

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Ke_fa8cpw3desfw97agwiab6_e

android.view.InputMethod

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

com.appd.instll.load

us.leaf3stones.myapkinstaller.MainActivity

Activities

us.leaf3stones.myapkinstaller.MainActivity

Permissions

Receivers

Services

Password: infected

utc.interests.sq

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Mai_fa8cpw3desfw97agwiab6_y

Activities

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Mai_fa8cpw3desfw97agwiab6_y

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Ca_fa8cpw3desfw97agwiab6_ity

Permissions

Receivers

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Cus_fa8cpw3desfw97agwiab6_iver

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Boo_fa8cpw3desfw97agwiab6_er

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Pac_fa8cpw3desfw97agwiab6_er

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Scr_fa8cpw3desfw97agwiab6_verz

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Da_fa8cpw3desfw97agwiab6_er

utc.interests.rte_fa8cpw3desfw97agwiab6_wwef

Services

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Access_fa8cpw3desfw97agwiab6_Service

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Fe_fa8cpw3desfw97agwiab6_es

utc.interests.j2mkd2gqavqhensdjxb2h4wvwgbnarqgdagtnqjuh6ub1wxhug2.Ke_fa8cpw3desfw97agwiab6_e