spynote | a1d1ef4aa6192febb467e048fa0968fe06e872ca98ea1951058db5794d3e6021

Analysis

max time kernel
149s
max time network
151s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
16-02-2025 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1d1ef4aa6192febb467e048fa0968fe06e872ca98ea1951058db5794d3e6021.apk
Size

4.6MB
MD5

7e2b70988e9e401fe7f93f6ca39db6fd
SHA1

896f153f468eee269db32236a4971512a736121b
SHA256

a1d1ef4aa6192febb467e048fa0968fe06e872ca98ea1951058db5794d3e6021
SHA512

4585d4abdeaa787fd124abc5410abe28d486237e80f2998b8f62a9452c6dda8e8d6415248b223ac76d9d9fb6c36ebb9313bc2ec5413d0f0079523e42d4743a67
SSDEEP

98304:uoUBWR6SQ8G16vWX0PQkgTLwUf2fraXM5r4LISJJ5ytkmnEGBF:ujSQ313kg3wUfml5riIcytkmNn

Score

10^/10

spynote banker collection credential_access defense_evasion evasion execution infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_spynote

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/the.powerful.person/files/arm/classes.dex	4655	the.powerful.person
/data/user/0/the.powerful.person/files/arm/classes.dex	4655	the.powerful.person

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	the.powerful.person

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	the.powerful.person

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	the.powerful.person

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	the.powerful.person

the.powerful.person
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
PID:4655

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/the.powerful.person/files/arm/classes.dex

Filesize
5.1MB

MD5
e03ed6fa9a762ba491d72801c87b73d1

SHA1
1ade51f93663163d5a8d6feb4f890424e163dd2a

SHA256
55fcf92e3114fd3147a979c08c17be1ceb26a86f34e169f9cf8e73ec761c42be

SHA512
6f7b9f00b78943865ccf6293ca698d23b797468ca50ea0d8bce977345e8448592a1b55c2afb606a4cfa61db145769702c47c9bb7ab6d42f9f0783475e1a24c90

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-16.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-16.txt

Filesize
25B

MD5
04f412407df2e4495f811906b6f817e7

SHA1
a8dbd085774d1222c7c518d68556267d7ab781f3

SHA256
b179c1083e6f3b6a12b5694fb230ae09e7c8757dbd55faee99dc0ba7dce7caff

SHA512
664c8426569854e42568443cb0daaaba4517c93cbf4d8db8690e5a4665af7eeabd50de7f55f8df76fa8e6179c7ccbd6cc3c3d7888bcc6a7a8a093dae9a914526

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-16.txt

Filesize
25B

MD5
bdb821a955117250611e94cd23842584

SHA1
81edcea1b44f94cfc140710c8410d0696b760c67

SHA256
076eb89055ff3d929eb732e1002a0105652e628682a741151388ce1df3b6ec9d

SHA512
e52ffed4ee84acc414c530c239c8876d9e99c1f2b2c7626c0ed7fbe0c59b9cb8f8a5e9e983541bea3dfdb849dd3b9593df054c2482ed8bcda7c70ebd960ca268

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads