Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
40s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
24/01/2025, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
ELECTRICITY Bill.-__.apk
Resource
android-x64-20240624-en
General
-
Target
ELECTRICITY Bill.-__.apk
-
Size
4.6MB
-
MD5
1a615c0aebf2d958181b727de8815736
-
SHA1
54800a51c1ebc3aa4cdbe37b7b3cbc9314bdb22a
-
SHA256
2a33c6347c4b4c95e2437075a025a8b9337291d48500224b954e32cb395df678
-
SHA512
bb0c3dcefb04a64d0d08f4f36cf381c226c6577db49f98246394624b9b958d4c1dfd7a6b20938dd6af562b5eb61dab9dc03db1f980f113b44e1a0af2f8166fa5
-
SSDEEP
98304:sUAWRjSD2kDiHAkLk4t6TVOHrcuVorbgxoJhEhkNUGBQp:rSD2kDvSk4IpOHrchbgkEhkvw
Malware Config
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Spynote payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_spynote -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/national.curves.carrier/files/arm/classes.dex 5050 national.curves.carrier /data/user/0/national.curves.carrier/files/arm/classes.dex 5050 national.curves.carrier -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId national.curves.carrier -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock national.curves.carrier -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground national.curves.carrier -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver national.curves.carrier -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule national.curves.carrier
Processes
-
national.curves.carrier1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5050
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD56b3798690a1a3c1118677c092bee7873
SHA15bb6b26c47eae99cfa6534d2c973cfd913b91a54
SHA256d359ae31274c94a88857cb8d2042814406f26535730eb2d2c9f9a210fbe6cb2e
SHA5124f7a4539af96b71535ad98279165f68cd713d3363afa2609ec1845cc952957bab352c33539b9017d54b82920ddc5e93a9dbd459188dad65201ae8603ecd2a790
-
Filesize
13B
MD5de2c41a51ee9246eb1708f65b511add0
SHA12f442d634c8a18760a232c8829d4b5d74a52f074
SHA256ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA5127cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a
-
Filesize
33B
MD5248307c7368c4e4a7c1937725ce314d0
SHA1a649525aaf2a839dbe1ab3e8973f6651061f525e
SHA25625e2623a965a981b7f23dba54440691c3b6cd16b2c104cde7c06bc13d4d8d2ed
SHA5123af93bd9fb0724528b165adb97f6b160f19e6f05ffafb83a2e1e7aecaa7d225e93c9bb723a26159f4e350a88b0cfa7bd987597b0a26072fe6a999d5b6b4e93bc
-
Filesize
130B
MD54edbee5efc653edf6bb71f284741bf56
SHA1b6f9f3ea3c1c37ecc941d9ae8d7870e20998c97f
SHA2568e00ccbb9ff4730ec895943e5251befaa3734fb695e3cc6b5aa158a927249e6a
SHA512699d9e686fab5d9771bc6b3d75e657852e076cf2a04ef017aef61939dc612c9b582c604aa9dd22ecd7800a2565da7efe960848b1d67bef8def20c0862a84a935