Overview

overview

10

Static

static

6

a1d1ef4aa6...21.apk

android-9-x86

10

a1d1ef4aa6...21.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16-02-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1d1ef4aa6192febb467e048fa0968fe06e872ca98ea1951058db5794d3e6021.apk

  • Size

    4.6MB

  • MD5

    7e2b70988e9e401fe7f93f6ca39db6fd

  • SHA1

    896f153f468eee269db32236a4971512a736121b

  • SHA256

    a1d1ef4aa6192febb467e048fa0968fe06e872ca98ea1951058db5794d3e6021

  • SHA512

    4585d4abdeaa787fd124abc5410abe28d486237e80f2998b8f62a9452c6dda8e8d6415248b223ac76d9d9fb6c36ebb9313bc2ec5413d0f0079523e42d4743a67

  • SSDEEP

    98304:uoUBWR6SQ8G16vWX0PQkgTLwUf2fraXM5r4LISJJ5ytkmnEGBF:ujSQ313kg3wUfml5riIcytkmNn

Score
10/10
spynotebankercollectioncredential_accessdefense_evasionevasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote
  • Spynote family
    spynote
  • Spynote payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • the.powerful.person
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4224
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/the.powerful.person/files/arm/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/the.powerful.person/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4251

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/the.powerful.person/files/arm/classes.dex
    Filesize

    5.1MB

    MD5

    e03ed6fa9a762ba491d72801c87b73d1

    SHA1

    1ade51f93663163d5a8d6feb4f890424e163dd2a

    SHA256

    55fcf92e3114fd3147a979c08c17be1ceb26a86f34e169f9cf8e73ec761c42be

    SHA512

    6f7b9f00b78943865ccf6293ca698d23b797468ca50ea0d8bce977345e8448592a1b55c2afb606a4cfa61db145769702c47c9bb7ab6d42f9f0783475e1a24c90

    Download Submit

  • /data/user/0/the.powerful.person/files/arm/classes.dex
    Filesize

    5.1MB

    MD5

    0e0f339a9b4bcd58c17b8600d432f456

    SHA1

    29b28e301423895fd7873495056fc6fa32ab03e2

    SHA256

    95c26efb2bc1a786e7a98671a4d7365ad0b066a7e39bd365975a489e00f3be81

    SHA512

    16c9f639b9e22578d0a68e84ba1275e7a3f480b952cbb4d3981f322685026f766f78ccd809d0a12cd0d7f73f7f4998f9598f7b1f5d30ee3550e009355388bab5

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2025-02-16.txt
    Filesize

    13B

    MD5

    de2c41a51ee9246eb1708f65b511add0

    SHA1

    2f442d634c8a18760a232c8829d4b5d74a52f074

    SHA256

    ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

    SHA512

    7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2025-02-16.txt
    Filesize

    25B

    MD5

    04f412407df2e4495f811906b6f817e7

    SHA1

    a8dbd085774d1222c7c518d68556267d7ab781f3

    SHA256

    b179c1083e6f3b6a12b5694fb230ae09e7c8757dbd55faee99dc0ba7dce7caff

    SHA512

    664c8426569854e42568443cb0daaaba4517c93cbf4d8db8690e5a4665af7eeabd50de7f55f8df76fa8e6179c7ccbd6cc3c3d7888bcc6a7a8a093dae9a914526

    Download Submit