Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

playstoreupdate.apk

android-9-x86

10

playstoreupdate.apk

android-10-x64

10

playstoreupdate.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19/12/2024, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    playstoreupdate.apk

  • Size

    6.0MB

  • MD5

    0826938525ff0f4f400488819d1e7dc7

  • SHA1

    f4f27d86869feba6d71857b9f6eb30e6763f2d89

  • SHA256

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

  • SHA512

    2612805d2d6b1eb821d9735b2aa725f69da844a07e6764e6d9f487d7eabc7fc192237e9e9de2ef9400f68e5d8ad325a03e4b8abacb525d4ae449d3da3ed2c3bd

  • SSDEEP

    98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.228:8005

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • samoa.broken.hose
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4249
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/samoa.broken.hose/app_course/FmheFka.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/samoa.broken.hose/app_course/oat/x86/FmheFka.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4274

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    d67d71ce26173f839317fcb7aab7a549

    SHA1

    71ee11c41ea3f0768b47a70ec25fec53b5064b31

    SHA256

    9178ecba48a68e3b5f4073225ab0986396d124560a97373099aec87974911037

    SHA512

    a5243d345bd6c65507c7241fb125f1b63744d17916c43ffed44697899b3ed1bef77002eef8937ac1746016fa6bbcf09ca2404d341bd0a8dd7fe4b79850e45d23

    Download Submit

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    4bf457e5984f450f6ba58e8ab3b664aa

    SHA1

    b1b83fc054b27665ea786c2ffd4031bf68c3ce2f

    SHA256

    8fd0e02646c91b28dc2fe10bb9127f5c134ee0ce33952bb44547b207abedc6dd

    SHA512

    8f3031d90a8fc7d22b275f75a6509f3233f2bdce9444621d6c679601c4a428e068bee4aabb807640a929c337916ddefa4c29bede345d8595d3b91bf20d2408a8

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    e2dd03dd942239a7334973f58aaae185

    SHA1

    7ba68fa4b1daf6db25512c7d576c098f9a1017cb

    SHA256

    cb78fa365884b4155262da6e297c2e8112d0c0d93ae2ca8d0bff60dac1db4f90

    SHA512

    049f4eeed052d691e42b9985909844618c526ef8ee46f49abe8fb71805b2ab5d9f214b8a7c495fd215226b8d0fc8f5c808438d6d7077295b520a6bc1fd18f1ed

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    f9b565a9c3b6f390b2af177de72c423f

    SHA1

    aa77b1b8cf5856e7f8be0ef51c8ce2cfdf2f9d9b

    SHA256

    945661fe3aee21d95a031606d55ddbbb7f7afe916400f94fb982c2040ab57e6e

    SHA512

    9c8684201f5498362bf7e7a5c39a5286560c8198a4bde40da57e9cde5023b7dc1935bce1b738030b16b6c7d9a79800edbbf56b3ce98f186a4459f5a04a2e6da5

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    288B

    MD5

    959475312c1239df8490313f94ea9152

    SHA1

    8706f9a0d9f6d4ff8b40167400b49629daf33881

    SHA256

    38f8e643654ed7c94b5711174e2b806b03c9fdd87045faacfc4214a8c8bdfcbe

    SHA512

    923e066861cefe0c80a53cd674b74a40c5250712c37eae254f2930b73c46226d9d47877d0d9b2e4bc9301cd3596c1da2d4514c19ed41e23e8fdc6384883b1fe6

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    37B

    MD5

    0a4610dac6c5cf4ffbfc60b398c6c931

    SHA1

    739319d03a3ad32d2b7a10deb1a950b68998b363

    SHA256

    6e665f1d2d8d76372df135a1c6a1c185f503b45b861139b32468ce2b845947bc

    SHA512

    a957072732d92d5864aff4bf8c07dda5f0cfc7202e12aaf932e08fc5f098e3b39e58bb41725b6f0f76d20ba8da1dcafc389e06187677223c68970c9ae64ba5c2

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    37B

    MD5

    600eb86e12c0229ebc382da1b9e3ab47

    SHA1

    6b19a94f5575e33aeb98b73c02e3ec2afa8be614

    SHA256

    c20df23dbe426c91f69c95b99603bcd1aa118540842cb27e5a3e9ea221a09352

    SHA512

    401f213d0b66ae8da9fc454df84c58840f6945b55461d47f178df9ae39669398ea8401f2fdd123452f8d55c85a8abf661ac4d512a0be46cb11bb43956dc75e02

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit