spynote | 2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032 | Triage

Sharing

General

Target

bradesco.apk
Size

1.3MB
Sample

230421-qkhx6shf2t
MD5

0e69fd9ea5ddfda38a1d73621def19a3
SHA1

2a7a8d1219b66db2f5ed3c5af0043460597f4286
SHA256

2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032
SHA512

a03496b473741ec33cf35fe89e6601254b15614ff5f0e83ba9acd3e231d25b8f4b8a44c7272fc811e1be1e08f9f45a9b444c5b75eea7b262251d57679f54c3b8
SSDEEP

24576:Xj3n7M/NASUj+VX1sTNq/NOLvfHhf6Hfsp4HUj/k:XjLM1nbsxqQ3HhmfspJjs

Score

10^/10

spynote android evasion

Malware Config

Extracted

Family

spynote

C2

1.tcp.sa.ngrok.io:26109

Targets

- Target
  
  bradesco.apk
- Size
  
  1.3MB
- MD5
  
  0e69fd9ea5ddfda38a1d73621def19a3
- SHA1
  
  2a7a8d1219b66db2f5ed3c5af0043460597f4286
- SHA256
  
  2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032
- SHA512
  
  a03496b473741ec33cf35fe89e6601254b15614ff5f0e83ba9acd3e231d25b8f4b8a44c7272fc811e1be1e08f9f45a9b444c5b75eea7b262251d57679f54c3b8
- SSDEEP
  
  24576:Xj3n7M/NASUj+VX1sTNq/NOLvfHhf6Hfsp4HUj/k:XjLM1nbsxqQ3HhmfspJjs
Score

8^/10

evasion
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Legitimate hosting services abused for malware hosting/C2
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3