Overview

overview

10

Static

static

6

playstoreupdate.apk

android-9-x86

10

playstoreupdate.apk

android-10-x64

10

playstoreupdate.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    19/12/2024, 13:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    playstoreupdate.apk

  • Size

    6.0MB

  • MD5

    0826938525ff0f4f400488819d1e7dc7

  • SHA1

    f4f27d86869feba6d71857b9f6eb30e6763f2d89

  • SHA256

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

  • SHA512

    2612805d2d6b1eb821d9735b2aa725f69da844a07e6764e6d9f487d7eabc7fc192237e9e9de2ef9400f68e5d8ad325a03e4b8abacb525d4ae449d3da3ed2c3bd

  • SSDEEP

    98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.228:8005

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • samoa.broken.hose
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4612

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
          Filesize

          1.5MB

          MD5

          d67d71ce26173f839317fcb7aab7a549

          SHA1

          71ee11c41ea3f0768b47a70ec25fec53b5064b31

          SHA256

          9178ecba48a68e3b5f4073225ab0986396d124560a97373099aec87974911037

          SHA512

          a5243d345bd6c65507c7241fb125f1b63744d17916c43ffed44697899b3ed1bef77002eef8937ac1746016fa6bbcf09ca2404d341bd0a8dd7fe4b79850e45d23

          Download Submit

        • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
          Filesize

          1.5MB

          MD5

          4bf457e5984f450f6ba58e8ab3b664aa

          SHA1

          b1b83fc054b27665ea786c2ffd4031bf68c3ce2f

          SHA256

          8fd0e02646c91b28dc2fe10bb9127f5c134ee0ce33952bb44547b207abedc6dd

          SHA512

          8f3031d90a8fc7d22b275f75a6509f3233f2bdce9444621d6c679601c4a428e068bee4aabb807640a929c337916ddefa4c29bede345d8595d3b91bf20d2408a8

          Download Submit

        • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
          Filesize

          3.3MB

          MD5

          f9b565a9c3b6f390b2af177de72c423f

          SHA1

          aa77b1b8cf5856e7f8be0ef51c8ce2cfdf2f9d9b

          SHA256

          945661fe3aee21d95a031606d55ddbbb7f7afe916400f94fb982c2040ab57e6e

          SHA512

          9c8684201f5498362bf7e7a5c39a5286560c8198a4bde40da57e9cde5023b7dc1935bce1b738030b16b6c7d9a79800edbbf56b3ce98f186a4459f5a04a2e6da5

          Download Submit

        • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
          Filesize

          37B

          MD5

          600eb86e12c0229ebc382da1b9e3ab47

          SHA1

          6b19a94f5575e33aeb98b73c02e3ec2afa8be614

          SHA256

          c20df23dbe426c91f69c95b99603bcd1aa118540842cb27e5a3e9ea221a09352

          SHA512

          401f213d0b66ae8da9fc454df84c58840f6945b55461d47f178df9ae39669398ea8401f2fdd123452f8d55c85a8abf661ac4d512a0be46cb11bb43956dc75e02

          Download Submit

        • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
          Filesize

          25B

          MD5

          ba30336bf53d54ed3c0ea69dd545de8c

          SHA1

          ce99c6724c75b93b7448e2d9fac16ca702a5711f

          SHA256

          2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

          SHA512

          eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

          Download Submit

        • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
          Filesize

          288B

          MD5

          dd068c380eac419a5d0572266f781431

          SHA1

          846158197afd76b0e66cfde525b5cbc068bae4ee

          SHA256

          5b2e9121649ebb1771d3a5cd886879331374954639ab35b5ebac73405778efdf

          SHA512

          2ebf6ca6716b5697de7099444373886912df3b2ab61263bcc0ee304e4cab3e62889b27ba4225a30683ccb43fcdf4201a262dec05efaa045dd224ad3f7b6c05f8

          Download Submit

        • /storage/emulated/0/Config/sys/apps/log/log-2024-12-19.txt
          Filesize

          45B

          MD5

          675eec086cca58df8c9f08c8af78a7e8

          SHA1

          de51d2ccd3964ccce083674145ec6d71c7ae87b5

          SHA256

          92aea97cfa90631336850deae07b10f5ca85b4d982290b882b15fc43296eea2f

          SHA512

          9d6cdc686033657365af61b17ba9f7ae79e59b6b9adb458241ca87e16931e92648c20aa281f77f390b9b363802b9eb48bec02c787941b89bd10e991a7c9f47fd

          Download Submit