spynote | e600a3c55b71d262130bcb33e70bca5ed5d867ed2076ad952fdf4f94e1e37c04

Analysis

max time kernel
34s
max time network
32s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
28/03/2025, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger.apk
Size

6.3MB
MD5

823837c2152c1b0418f5b394da9adec7
SHA1

9fcff40616bf982cec57a227fe368bfb59ca868a
SHA256

e600a3c55b71d262130bcb33e70bca5ed5d867ed2076ad952fdf4f94e1e37c04
SHA512

512010775e9dadcac524797194faccd706d5fe3ed4c803b27554f5f8a77943fd55e4f057175d8c355724237970752893e18f1cb2153686cc4fd88fe854165136
SSDEEP

98304:wk9GRSv9xebyOPOc9rMmBopvfzymzhzB7ZT60tFe1i5:w3Sv9IbNFVM4u5zxZEu

Score

10^/10

spynote banker collection credential_access defense_evasion evasion execution infostealer persistence rat trojan

Malware Config

Signatures

Spynote
Spynote is a Remote Access Trojan first seen in 2017.
banker trojan infostealer rat spynote
Spynote family
spynote

Spynote payload 1 IoCs

resource	yara_rule
behavioral1/memory/4519-0.dex	family_spynote

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.ecuador.december/code_cache/i11111i111	4519	com.ecuador.december

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ecuador.december

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ecuador.december

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.ecuador.december

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.ecuador.december

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.ecuador.december

com.ecuador.december
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests enabling of the accessibility settings.
- Schedules tasks to execute at a specified time
PID:4519

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.ecuador.december/code_cache/i11111i111

Filesize
5.1MB

MD5
655b3cbe2b5972813970f319b370199c

SHA1
beed6268c390c2e01e5a8b2ec251910348f407eb

SHA256
a344acfe44e56b0a5ebee0029661698bed733892dea8f40e6c2ff764003d628e

SHA512
2a21497cd47c0c41fda9f9ed4ec695383b2a5d0f951dc10df27b598535c8d44413fd8243f356a127a9ca0042a3d1e82114c09805f9f48e22e7d2cc3e3d4b9aee

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
580B

MD5
0f25df1c75f17e80d8c0bc6607f0b494

SHA1
3ad5f214e615de9bf243af2a4449ef08bf34c90d

SHA256
7bfa581fde78949f974969bf2b23ff783a866607532c0e62703da3a46b5856b3

SHA512
80d4757e061e338292aa80f4d4a6d2f448354a6d428b4ab3ac0e97055394378c1e35d7a4f8768bdb785a178938796df44598f1fc3bbf9d340c480bca63503eb6

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-03-28.txt

Filesize
57B

MD5
1456a5ee24251319725fccde4a73f4b1

SHA1
e9a3437ac635f7855d2c72170e7dcbc0c7d2ccf1

SHA256
5764d8294634d60a9f366b3677d2635675d161d74f2b9f751239d9e73e6074d2

SHA512
bbdfbcea362668b10c8900a29542cd552178d072a49445d7a6fc51e438e92b7a804d11b40c6d29046f4808e1c6411a3ef439c978f842a12f5b4a2fcfcd815d20

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads