spynote | e600a3c55b71d262130bcb33e70bca5ed5d867ed2076ad952fdf4f94e1e37c04

Resubmissions

28/03/2025, 10:50

250328-mw75navvfw 10

28/03/2025, 10:48

250328-mwbrfsvvex 10

Analysis

max time kernel
42s
max time network
42s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
28/03/2025, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger.apk
Size

6.3MB
MD5

823837c2152c1b0418f5b394da9adec7
SHA1

9fcff40616bf982cec57a227fe368bfb59ca868a
SHA256

e600a3c55b71d262130bcb33e70bca5ed5d867ed2076ad952fdf4f94e1e37c04
SHA512

512010775e9dadcac524797194faccd706d5fe3ed4c803b27554f5f8a77943fd55e4f057175d8c355724237970752893e18f1cb2153686cc4fd88fe854165136
SSDEEP

98304:wk9GRSv9xebyOPOc9rMmBopvfzymzhzB7ZT60tFe1i5:w3Sv9IbNFVM4u5zxZEu

Score

10^/10

spynote banker collection credential_access defense_evasion evasion execution infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
behavioral1/memory/5231-0.dex	family_spynote

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.ecuador.december/code_cache/i11111i111	5231	com.ecuador.december

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ecuador.december

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ecuador.december

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.ecuador.december

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.ecuador.december

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.ecuador.december

com.ecuador.december
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5231

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ecuador.december/code_cache/i11111i111

Filesize
1.2MB

MD5
2353202b04da4d092facbf9868737ac4

SHA1
ef7d883f8c1e1194f0558e253d6d955d617bb583

SHA256
1d5ef4ace837a8eef48ac8243ffd994b99b06e71b7fc30b7fabfef4187e7c5a8

SHA512
6ea9a2cb2a4ee27f609ad8b09987eba3556c1b8a68027d917094e240c8e92185146204e9fcd021b97067e17ea6b0a29dd2f7a89e995ef7f0460316a717d2f756

Download Submit
/data/data/com.ecuador.december/dpt-libs/x86_64/libdpt.so

Filesize
537KB

MD5
a9e45058306111e3a37ca2c266346dd2

SHA1
2ed87bdcd1148a72d6cac073fd34f8d6f429c8ca

SHA256
6f93534ca2cf1260210d189cf8a8f955806651a5aa1cf0801bf5832e3f7b8a12

SHA512
cccec23982ad1517992a9fc1e5de21027881472dd4168245dc797a69877e0a18da3b0e82c7cd9d2ef55505e92503bac29efdc30617c10bb8e59d866fedc3783b

Download Submit
/data/user/0/com.ecuador.december/code_cache/i11111i111

Filesize
5.1MB

MD5
655b3cbe2b5972813970f319b370199c

SHA1
beed6268c390c2e01e5a8b2ec251910348f407eb

SHA256
a344acfe44e56b0a5ebee0029661698bed733892dea8f40e6c2ff764003d628e

SHA512
2a21497cd47c0c41fda9f9ed4ec695383b2a5d0f951dc10df27b598535c8d44413fd8243f356a127a9ca0042a3d1e82114c09805f9f48e22e7d2cc3e3d4b9aee

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
65B

MD5
94b055f289648ffaf2adb10a58dafdb6

SHA1
08d69f69fbc27b13daa1e9619c2694d44210c6c0

SHA256
24f099e603a21faa79ac56782e6c57a5078c160bb550527e4c9a8bdb116c07ba

SHA512
fbcec23294e94027570dfed83a6e14317a67ac94e704fc1662ecd5b081e79a5e87bc3ec0d801ef4a77fd566da23d287b2176c0703ea999317b80ebfd40b0fec5

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
53B

MD5
b61fb529a13fe7fb34429c5fda2a977b

SHA1
7efe7422a2c54e7d67c8d28b8d5a6f987d1e005c

SHA256
0a54313c712bbd9c39babf80aeee6b6e03113787d5bca767c9789a473316fd4b

SHA512
8f4a6af363feda8eb32f7476d0f43145794878af45bd7e07e0efe02b67c058c4f37ea579fe145927e6b42778a5d89cdb3997a0c9efab38880ba193d106621244

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
73B

MD5
33565b87e1c02e73e286c6e805d304ee

SHA1
034dfe6ec852ea8cb03cc8e045f2c613c69dbb7b

SHA256
86e07286a967a5cccea614685def0949a05520cc3b71a6bfb10e743a53bb9db9

SHA512
a801c0afc0e569dfd95485a03600bd1d77e853af0bf25812e70ca1c00b786899161f5adc6f0bb4007a527f7e67cbce365c831dfef516e373c1ca7a0c67cfbe67

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads