Overview

overview

10

Static

static

6

7742ce477f...15.apk

android-9-x86

10

7742ce477f...15.apk

android-10-x64

10

7742ce477f...15.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    20-12-2024 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15.apk

  • Size

    6.0MB

  • MD5

    0826938525ff0f4f400488819d1e7dc7

  • SHA1

    f4f27d86869feba6d71857b9f6eb30e6763f2d89

  • SHA256

    7742ce477fb7f78e181e114db46ace712e3a02d417f7ac8a20994f3f2db46c15

  • SHA512

    2612805d2d6b1eb821d9735b2aa725f69da844a07e6764e6d9f487d7eabc7fc192237e9e9de2ef9400f68e5d8ad325a03e4b8abacb525d4ae449d3da3ed2c3bd

  • SSDEEP

    98304:8cNby5wATPnRa6x5MY/PmzlzBQ0tNTPKduE1ujRzEY0HEIw:L+fRd8/zjNyXudzfr

Score
10/10
spynotebankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

spynote

C2

178.255.218.228:8005

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • samoa.broken.hose
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4451

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    d67d71ce26173f839317fcb7aab7a549

    SHA1

    71ee11c41ea3f0768b47a70ec25fec53b5064b31

    SHA256

    9178ecba48a68e3b5f4073225ab0986396d124560a97373099aec87974911037

    SHA512

    a5243d345bd6c65507c7241fb125f1b63744d17916c43ffed44697899b3ed1bef77002eef8937ac1746016fa6bbcf09ca2404d341bd0a8dd7fe4b79850e45d23

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    1.5MB

    MD5

    4bf457e5984f450f6ba58e8ab3b664aa

    SHA1

    b1b83fc054b27665ea786c2ffd4031bf68c3ce2f

    SHA256

    8fd0e02646c91b28dc2fe10bb9127f5c134ee0ce33952bb44547b207abedc6dd

    SHA512

    8f3031d90a8fc7d22b275f75a6509f3233f2bdce9444621d6c679601c4a428e068bee4aabb807640a929c337916ddefa4c29bede345d8595d3b91bf20d2408a8

    Download Submit

  • /data/user/0/samoa.broken.hose/app_course/FmheFka.json
    Filesize

    3.3MB

    MD5

    f9b565a9c3b6f390b2af177de72c423f

    SHA1

    aa77b1b8cf5856e7f8be0ef51c8ce2cfdf2f9d9b

    SHA256

    945661fe3aee21d95a031606d55ddbbb7f7afe916400f94fb982c2040ab57e6e

    SHA512

    9c8684201f5498362bf7e7a5c39a5286560c8198a4bde40da57e9cde5023b7dc1935bce1b738030b16b6c7d9a79800edbbf56b3ce98f186a4459f5a04a2e6da5

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    37B

    MD5

    600eb86e12c0229ebc382da1b9e3ab47

    SHA1

    6b19a94f5575e33aeb98b73c02e3ec2afa8be614

    SHA256

    c20df23dbe426c91f69c95b99603bcd1aa118540842cb27e5a3e9ea221a09352

    SHA512

    401f213d0b66ae8da9fc454df84c58840f6945b55461d47f178df9ae39669398ea8401f2fdd123452f8d55c85a8abf661ac4d512a0be46cb11bb43956dc75e02

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    288B

    MD5

    dd068c380eac419a5d0572266f781431

    SHA1

    846158197afd76b0e66cfde525b5cbc068bae4ee

    SHA256

    5b2e9121649ebb1771d3a5cd886879331374954639ab35b5ebac73405778efdf

    SHA512

    2ebf6ca6716b5697de7099444373886912df3b2ab61263bcc0ee304e4cab3e62889b27ba4225a30683ccb43fcdf4201a262dec05efaa045dd224ad3f7b6c05f8

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-12-20.txt
    Filesize

    57B

    MD5

    3af69119804d1d999d56d230338ffd36

    SHA1

    69350826205583c8acc385ee0a6e3fc2673ee2ca

    SHA256

    10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c

    SHA512

    4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

    Download Submit