General

  • Target

    SNS_24.apk

  • Size

    7.2MB

  • Sample

    240322-wkhkasgh91

  • MD5

    da6f538294ce7f79e17acd65a8a2a0de

  • SHA1

    2ae33b52c49a819e3fa4875a6e2178d232d344fb

  • SHA256

    a79ebbd3eb73942b0e4c430f50b0dca4a30d51abffa4671b8baba1d1d2786a4e

  • SHA512

    6aa6cbdb1e8ab6204bef5a8ccfc85448d67d46dd1c7b3375f3c5b3c7010f4015db1e02b0c132d715319ec21344df24ca525a1086a637602cd640b6be39afe209

  • SSDEEP

    98304:eKefDhiwzjxcMlmzWTx0tfzBs01ev7UOkjYKJyQPsZxIlW+T8XU8DRQAiE8bTSlP:nefc8yMIz2OrAU9YAsZxcy6AiEF

Malware Config

Extracted

Family

spynote

C2

81.161.229.3:7771

Targets

    • Target

      SNS_24.apk

    • Size

      7.2MB

    • MD5

      da6f538294ce7f79e17acd65a8a2a0de

    • SHA1

      2ae33b52c49a819e3fa4875a6e2178d232d344fb

    • SHA256

      a79ebbd3eb73942b0e4c430f50b0dca4a30d51abffa4671b8baba1d1d2786a4e

    • SHA512

      6aa6cbdb1e8ab6204bef5a8ccfc85448d67d46dd1c7b3375f3c5b3c7010f4015db1e02b0c132d715319ec21344df24ca525a1086a637602cd640b6be39afe209

    • SSDEEP

      98304:eKefDhiwzjxcMlmzWTx0tfzBs01ev7UOkjYKJyQPsZxIlW+T8XU8DRQAiE8bTSlP:nefc8yMIz2OrAU9YAsZxcy6AiEF

    • Spynote

      Spynote is a Remote Access Trojan first seen in 2017.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Requests enabling of the accessibility settings.

    • Acquires the wake lock

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks