Overview

overview

10

Static

static

6

playstoreupdate.apk

android-9-x86

10

playstoreupdate.apk

android-10-x64

10

playstoreupdate.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    19-12-2024 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    playstoreupdate.apk

  • Size

    6.0MB

  • MD5

    0826938525ff0f4f400488819d1e7dc7

  • SHA1

    f4f27d86869feba6d71857b9f6eb30e6763f2d89

  • SHA256

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

  • SHA512

    2612805d2d6b1eb821d9735b2aa725f69da844a07e6764e6d9f487d7eabc7fc192237e9e9de2ef9400f68e5d8ad325a03e4b8abacb525d4ae449d3da3ed2c3bd

  • SSDEEP

    98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.228:8005

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • samoa.broken.hose
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4966

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

Suppress Application Icon

1
T1628.001

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    d67d71ce26173f839317fcb7aab7a549

    SHA1

    71ee11c41ea3f0768b47a70ec25fec53b5064b31

    SHA256

    9178ecba48a68e3b5f4073225ab0986396d124560a97373099aec87974911037

    SHA512

    a5243d345bd6c65507c7241fb125f1b63744d17916c43ffed44697899b3ed1bef77002eef8937ac1746016fa6bbcf09ca2404d341bd0a8dd7fe4b79850e45d23

    Download Submit

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    4bf457e5984f450f6ba58e8ab3b664aa

    SHA1

    b1b83fc054b27665ea786c2ffd4031bf68c3ce2f

    SHA256

    8fd0e02646c91b28dc2fe10bb9127f5c134ee0ce33952bb44547b207abedc6dd

    SHA512

    8f3031d90a8fc7d22b275f75a6509f3233f2bdce9444621d6c679601c4a428e068bee4aabb807640a929c337916ddefa4c29bede345d8595d3b91bf20d2408a8

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    f9b565a9c3b6f390b2af177de72c423f

    SHA1

    aa77b1b8cf5856e7f8be0ef51c8ce2cfdf2f9d9b

    SHA256

    945661fe3aee21d95a031606d55ddbbb7f7afe916400f94fb982c2040ab57e6e

    SHA512

    9c8684201f5498362bf7e7a5c39a5286560c8198a4bde40da57e9cde5023b7dc1935bce1b738030b16b6c7d9a79800edbbf56b3ce98f186a4459f5a04a2e6da5

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    37B

    MD5

    0a4610dac6c5cf4ffbfc60b398c6c931

    SHA1

    739319d03a3ad32d2b7a10deb1a950b68998b363

    SHA256

    6e665f1d2d8d76372df135a1c6a1c185f503b45b861139b32468ce2b845947bc

    SHA512

    a957072732d92d5864aff4bf8c07dda5f0cfc7202e12aaf932e08fc5f098e3b39e58bb41725b6f0f76d20ba8da1dcafc389e06187677223c68970c9ae64ba5c2

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    37B

    MD5

    600eb86e12c0229ebc382da1b9e3ab47

    SHA1

    6b19a94f5575e33aeb98b73c02e3ec2afa8be614

    SHA256

    c20df23dbe426c91f69c95b99603bcd1aa118540842cb27e5a3e9ea221a09352

    SHA512

    401f213d0b66ae8da9fc454df84c58840f6945b55461d47f178df9ae39669398ea8401f2fdd123452f8d55c85a8abf661ac4d512a0be46cb11bb43956dc75e02

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
    Filesize

    288B

    MD5

    5ce7c87b3b844a0e445ff35b7f9a52f3

    SHA1

    544c8792105db0d7bfee7ae1ed189581ea838a9c

    SHA256

    3584911fead1d9f21019ba3222464f5472cbeaa50eca378a6f80b45830f44769

    SHA512

    906c7775281706e502afa4adfbce8feb52e54919e8e32e96e2ccf31aaa07924bfa81ea6061469bb5fbf4e88362002fe022de54cd5174c668a654a507f48830dc

    Download Submit