File name:

1.apk

Full analysis: https://app.any.run/tasks/62ba4656-a8da-4ff9-83d5-4aee42f87106
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 23, 2025, 13:48:10
OS: Android 14
Tags:
spynote
rat
Indicators:
MIME: application/vnd.android.package-archive
File info: Android package (APK), with AndroidManifest.xml, with APK Signing Block
MD5:

B2C5E29222F57CF91D30D37B8EC54CC3

SHA1:

7E03E82359000BB144C2133CC1E31D3D4C0D045C

SHA256:

7129D6C57182F4E53A4FD0F6AAC15DE30FFC5BFA34BC639A19EE39D2856B3C07

SSDEEP:

98304:4WMuGa+SBC06ZVh/OURv/RhyEV0eeOt3edU8qdgiIrb2tZjfxJN7EuPz/+FiSxsE:b+U5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses APIs to record audio and video from various sources

      • app_process64 (PID: 2885)

    • Executes system commands or scripts

      • app_process64 (PID: 2885)

    • Determines whether a component is an active device admin

      • app_process64 (PID: 2885)

    • Hides app icon from display

      • app_process64 (PID: 2885)

    • SPYNOTE has been detected

      • app_process64 (PID: 2885)

  • SUSPICIOUS

    • Retrieves a list of running services

      • app_process64 (PID: 2885)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2885)

    • Checks if the device's lock screen is showing

      • app_process64 (PID: 2885)

    • Requests access to accessibility settings

      • app_process64 (PID: 2885)

    • Overlays content on other applications

      • app_process64 (PID: 2885)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2885)

    • Prevents its uninstallation by user

      • app_process64 (PID: 2885)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2885)

    • Performs UI accessibility actions without user input

      • app_process64 (PID: 2885)

    • Detects when screen powers off

      • app_process64 (PID: 2885)

    • Updates the value of a system setting

      • app_process64 (PID: 2885)

    • Intercepts events for accessibility services

      • app_process64 (PID: 2885)

    • Leverages accessibility to control apps

      • app_process64 (PID: 2885)

    • Checks exemption from battery optimization

      • app_process64 (PID: 2885)

    • Accesses system-level resources

      • app_process64 (PID: 2885)

    • Attempts to activate device administrator

      • app_process64 (PID: 2885)

    • Abuses foreground service for persistence

      • app_process64 (PID: 2885)

    • Connects to unusual port

      • app_process64 (PID: 2885)

    • Accesses external device storage files

      • app_process64 (PID: 2885)

    • Retrieves installed applications on device

      • app_process64 (PID: 2885)

    • Starts a service

      • app_process64 (PID: 2885)

    • Launches a new activity

      • app_process64 (PID: 2885)

  • INFO

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2885)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2885)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2885)

    • Creates and writes local files

      • app_process64 (PID: 2885)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2885)

    • Returns elapsed time since boot

      • app_process64 (PID: 2885)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (62.1)
.jar | Java Archive (17.1)
.zan | BlueEyes Animation (15.9)
.zip | ZIP compressed archive (4.7)

EXIF

ZIP

ZipRequiredVersion: -
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 1981:01:01 01:01:00
ZipCRC: 0x2721b4d2
ZipCompressedSize: 9845
ZipUncompressedSize: 48592
ZipFileName: AndroidManifest.xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SPYNOTE app_process64 app_process64 no specs toolbox no specs

Process information

PID
CMD
Path
Indicators
Parent process
2885elimination.kitchen.secured /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2963com.android.systemui.accessibility.accessibilitymenu /system/bin/app_process64app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
3035getprop ro.miui.ui.version.name/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
2885app_process64/data/user/0/elimination.kitchen.secured/shared_prefs/elimination.kitchen.secured.xmlxml
MD5:
SHA256:
2885app_process64/data/user/0/elimination.kitchen.secured/cache/oat_primary/arm64/base.2885.tmpbinary
MD5:
SHA256:
2885app_process64/storage/emulated/0/Config/sys/apps/log/log-2025-09-23.txttext
MD5:
SHA256:
2885app_process64/data/user/0/elimination.kitchen.secured/shared_prefs/elimination.kitchen.secured_preferences.xmlxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
5
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
172.217.16.196:80
http://www.google.com/gen_204
unknown
whitelisted
877
app_process64
GET
204
142.250.184.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
877
app_process64
GET
204
142.250.184.227:80
http://connectivitycheck.gstatic.com/generate_204
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.16.196:80
www.google.com
GOOGLE
US
whitelisted
443
mdnsd
224.0.0.251:5353
whitelisted
142.250.184.227:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
172.217.16.196:443
www.google.com
GOOGLE
US
whitelisted
877
app_process64
142.250.184.227:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
573
app_process64
216.239.35.4:123
time.android.com
whitelisted
877
app_process64
172.217.16.196:443
www.google.com
GOOGLE
US
whitelisted
1750
app_process64
74.125.206.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
2885
app_process64
81.31.197.165:7771
Zomro B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
www.google.com
  • 172.217.16.196
whitelisted
google.com
  • 216.58.206.46
whitelisted
connectivitycheck.gstatic.com
  • 142.250.184.227
whitelisted
time.android.com
  • 216.239.35.4
  • 216.239.35.12
  • 216.239.35.0
  • 216.239.35.8
unknown
staging-remoteprovisioning.sandbox.googleapis.com
  • 74.125.206.81
whitelisted

Threats

PID
Process
Class
Message
877
app_process64
Misc activity
ET INFO Android Device Connectivity Check
877
app_process64
Misc activity
ET INFO Android Device Connectivity Check
No debug info