Analysis
-
max time kernel
117s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
01/04/2025, 04:55
General
-
Target
malware.apk
-
Size
6.2MB
-
MD5
e5559a01c06fe5bfed0b767a44f6d1a0
-
SHA1
be5e5faf7ec29543043fa1d54df4d8ddc579b3e0
-
SHA256
f46e7f5e5b8a4d3be663d7177bce9577b219903c57f9a4e43c6bd01874d95091
-
SHA512
a39ef856130a7bb61d70e78d1659a65de8634f80a4eb0e6b6017258b4ec8fc35693c6122e538e3c85d2b5c67cfbfcd20a822ea315fbaf8d0b9ea434ff656aec6
-
SSDEEP
98304:NmfrbusKCjJwV5PaJNT7kZp6TMPmEwqvpJv4wdWzO03cY6Qi3X/cp84s2auqtpbN:vsKgwV5PRZp6Whw+AQn3Xkp84sMMT4Nk
Malware Config
Extracted
spynote
62.146.233.100:3343
Signatures
-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Spynote payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.mmmatm.cozswcamharz900k1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.8MB
MD515ad8790347bca77db4423eb9e8f87e7
SHA108b96d147b33b4289bd99448edf4cb8c69d579b2
SHA2568dcf491cdd00e65567ec27fcc787a6dbf94c99b74fe4df182b3f328cc7d6abc5
SHA512fdc556147d7841e7c78bd7219aab8b5c189044534077847b7b1c85107bf234b608f155e9c35311079e40e5c67adec60746da6627f573ebc2337b670f74bad8b3
-
Filesize
4KB
MD522438ba250c9fc80167f21d63a072999
SHA1d42392d774356fdc6c94af65a3e5765dbc711b75
SHA256ecab97893f28db6402191170da6406da5049a9522c40e3f4ca3ed745d4f9f2e4
SHA5122fce76054008b0841549dd27f6e393c4dcc8f9ee3ea7e796ee971188b5bf928d489e28683ffa2425f854f746a219ac848de6f1f7d0436a7c9550a2e84bda28bf
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56519c56429f15f53894c9f3eaa7c6130
SHA1e662b8788b08ac52c6be67a69c29c4ea93766340
SHA256dc55ef2e561d270fea4592570b9264075ca6350cac18d34b2d7a3bd34064fe77
SHA512a0ffc7fcdbf560fd38a996f6749cae4337b231b1e98cdc9f4f744225bc5f15734e2ade9b8add59d1c475246b1e727244a35086233bb29e16e133a480d6e64fc6
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
44KB
MD5978c50125f506403fbde81849275dbda
SHA1ddb7eaf7cc4f4655f0654d97231aab223f4a0c48
SHA256fe5db10f6aebe2daca2fc89a9481c7a36578976ded86e406292d62e70fd28c30
SHA5122fdb763414a14f288e4d1f4d3d681649766b3ccb7c0c4bdf9cb021906eee206ed6b98eb141727efc3b84234ed9e600689d151ebf47f9f11191ff9db87b55b220
-
Filesize
4.4MB
MD5f568f0ec48c1c94cea5d657c36c01228
SHA1d1b9907eff90f074f9cdd0f73985099e293013d3
SHA25656ef132cfdb43c74e89f9b81ecd2a6a4405dc16dfb6742870a6f34a2a0cc0e4f
SHA51231d889b0435b509f025e5942b403bd773b4e46b16ad8493658568ab12ddfe4d2b04db7a54514198f16a912e65475ba6d51856e50b576482847289494109830c3
-
Filesize
8B
MD5e498a677a10ed45ce91bccb0d86d63b5
SHA18ee39e0a58b700d1d40c3e46f16e8361b37442e2
SHA25632d569ce8bce740fe1b970aa743da126915ebd0c4ecb735e703d1461e1b0628e
SHA512e81a00f254649674746ee7fb75ea67e3ce364dd54c805184ef2725e1dc7490bed39d4be29ffcdeadf8504ae666c84f1b866a581dc96952bc77400b4198e9c47e
-
Filesize
28B
MD5f15f466fc2334cdb2f5dce4d226895a0
SHA1e674a73fd655d6cae42f82a7f420695679088c7b
SHA256462534e70c123e2f740b66472d35533c9fcc1c3f99d15a7fb9960598d80b6959
SHA512b0b020b2aa0ad96399537c961274ef7825d6c78f396d113c7609120b2f0565855ba7ac713d5604280b97c2a750f60d5929ed7f262f5f0e917472cec88cb6dded
-
Filesize
28B
MD5529f20f9a03b2ee8fd4948fdc21060e3
SHA1a571080178a4635e26a736b9804b9a0fcae3c3cb
SHA256b4d20026e15a5c97a721597b7f04e88448935808e68ffe83ddeda6e2527fc8eb
SHA512155a39986340ed0a7dd1e1e3d79f78c51184153071b9f49f2909272cafb6d1f8d570a53f04e5bbf04c456eb79b57baf7a1624a287f2472255e13d5da4753b8be
-
Filesize
283B
MD55e87a7f04c3ccafe4881693f4cf22e15
SHA1d3d3d377d7648345aa45f42a77603dc23c04936e
SHA256264631002332f565283a932a1ffd9477606d0f37127bcb67f96ecad2f15e029c
SHA5120176e7272254705aab6ee0526843db0714552f52d5fba8814457dbaf77653572cd0c985f422f8c98303485bb9d52d28dae81357d9db0efa5652ea630b57d6a34