spynote | ac24b61e112fbe6a0d994f6078c378b01a56359814db828ad73353708825c491 | Triage

Sharing

General

Target

FAPlusv140_Jected.apk
Size

6.8MB
Sample

231004-v1kh6adc5w
MD5

232c85e36c33e449caa852ee2bf1e34e
SHA1

6adc756ffd886a8313758facd9755034e96789c5
SHA256

ac24b61e112fbe6a0d994f6078c378b01a56359814db828ad73353708825c491
SHA512

e26eb8f0ac9120110e64825c35ff6ae09997bf4156ca540a16793d69b65a262d07b9ad891e3e253144a1f9de06b74f19cbc8c4749c8e8b958d7544b6f4aee37c
SSDEEP

98304:Yaf0ZGU0C0e/iVoPw8rnSC1sWF/04GSwF3pnFtf8TczUq5UDRkBlTAgq6ijWJUUi:Jhfm/Qo4FwsYvG5pnFCTczH5ekwviJXg

Score

10^/10

spynote android evasion

Malware Config

Extracted

Family

spynote

C2

fee-harmful.gl.at.ply.gg:41934

Targets

- Target
  
  FAPlusv140_Jected.apk
- Size
  
  6.8MB
- MD5
  
  232c85e36c33e449caa852ee2bf1e34e
- SHA1
  
  6adc756ffd886a8313758facd9755034e96789c5
- SHA256
  
  ac24b61e112fbe6a0d994f6078c378b01a56359814db828ad73353708825c491
- SHA512
  
  e26eb8f0ac9120110e64825c35ff6ae09997bf4156ca540a16793d69b65a262d07b9ad891e3e253144a1f9de06b74f19cbc8c4749c8e8b958d7544b6f4aee37c
- SSDEEP
  
  98304:Yaf0ZGU0C0e/iVoPw8rnSC1sWF/04GSwF3pnFtf8TczUq5UDRkBlTAgq6ijWJUUi:Jhfm/Qo4FwsYvG5pnFCTczH5ekwviJXg
Score

8^/10

evasion
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Legitimate hosting services abused for malware hosting/C2
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2