Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

7742ce477f...15.apk

android-9-x86

10

7742ce477f...15.apk

android-10-x64

10

7742ce477f...15.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    20/12/2024, 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15.apk

  • Size

    6.0MB

  • MD5

    0826938525ff0f4f400488819d1e7dc7

  • SHA1

    f4f27d86869feba6d71857b9f6eb30e6763f2d89

  • SHA256

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

  • SHA512

    2612805d2d6b1eb821d9735b2aa725f69da844a07e6764e6d9f487d7eabc7fc192237e9e9de2ef9400f68e5d8ad325a03e4b8abacb525d4ae449d3da3ed2c3bd

  • SSDEEP

    98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.228:8005

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • samoa.broken.hose
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4268
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/samoa.broken.hose/app_course/FmheFka.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/samoa.broken.hose/app_course/oat/x86/FmheFka.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4293

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    d67d71ce26173f839317fcb7aab7a549

    SHA1

    71ee11c41ea3f0768b47a70ec25fec53b5064b31

    SHA256

    9178ecba48a68e3b5f4073225ab0986396d124560a97373099aec87974911037

    SHA512

    a5243d345bd6c65507c7241fb125f1b63744d17916c43ffed44697899b3ed1bef77002eef8937ac1746016fa6bbcf09ca2404d341bd0a8dd7fe4b79850e45d23

    Download Submit

  • /data/data/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    4bf457e5984f450f6ba58e8ab3b664aa

    SHA1

    b1b83fc054b27665ea786c2ffd4031bf68c3ce2f

    SHA256

    8fd0e02646c91b28dc2fe10bb9127f5c134ee0ce33952bb44547b207abedc6dd

    SHA512

    8f3031d90a8fc7d22b275f75a6509f3233f2bdce9444621d6c679601c4a428e068bee4aabb807640a929c337916ddefa4c29bede345d8595d3b91bf20d2408a8

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    e2dd03dd942239a7334973f58aaae185

    SHA1

    7ba68fa4b1daf6db25512c7d576c098f9a1017cb

    SHA256

    cb78fa365884b4155262da6e297c2e8112d0c0d93ae2ca8d0bff60dac1db4f90

    SHA512

    049f4eeed052d691e42b9985909844618c526ef8ee46f49abe8fb71805b2ab5d9f214b8a7c495fd215226b8d0fc8f5c808438d6d7077295b520a6bc1fd18f1ed

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    f9b565a9c3b6f390b2af177de72c423f

    SHA1

    aa77b1b8cf5856e7f8be0ef51c8ce2cfdf2f9d9b

    SHA256

    945661fe3aee21d95a031606d55ddbbb7f7afe916400f94fb982c2040ab57e6e

    SHA512

    9c8684201f5498362bf7e7a5c39a5286560c8198a4bde40da57e9cde5023b7dc1935bce1b738030b16b6c7d9a79800edbbf56b3ce98f186a4459f5a04a2e6da5

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    288B

    MD5

    593df2e198de9b023aab70791ee0d4d6

    SHA1

    430378708ba6856c3137c98a31fa905de6ac98bd

    SHA256

    de93cc46880f20b99c50a05e08b1b21f56e703d71db936538a289d32781bc1fc

    SHA512

    f3b0773c6f72e7d43c795fa97ace65d3e909ba2ba5479df5c923dd14a65c398559f0a4e62b5f01b00fcb6f4719daf7e3d4b0f018d8b5f3ee64262dbc09c7ce5f

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    57B

    MD5

    3af69119804d1d999d56d230338ffd36

    SHA1

    69350826205583c8acc385ee0a6e3fc2673ee2ca

    SHA256

    10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c

    SHA512

    4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    37B

    MD5

    600eb86e12c0229ebc382da1b9e3ab47

    SHA1

    6b19a94f5575e33aeb98b73c02e3ec2afa8be614

    SHA256

    c20df23dbe426c91f69c95b99603bcd1aa118540842cb27e5a3e9ea221a09352

    SHA512

    401f213d0b66ae8da9fc454df84c58840f6945b55461d47f178df9ae39669398ea8401f2fdd123452f8d55c85a8abf661ac4d512a0be46cb11bb43956dc75e02

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit