Overview

overview

10

Static

static

10

826f773160...57.apk

android-9-x86

8

826f773160...57.apk

android-10-x64

8

826f773160...57.apk

android-11-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    826f773160d410911f1264d9ae18b257.zip

  • Size

    8.5MB

  • Sample

    240506-k4gassfd2v

  • MD5

    826f773160d410911f1264d9ae18b257

  • SHA1

    052d5b51a2f8dc24b9e124dadd24e6eb229e9f9f

  • SHA256

    dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71

  • SHA512

    62a7805dc99c2c9541f7de7379db8a41207024098387e814206f29de503b5957ab18936be0d8bdfff9499a18c47914e399a698c10ff887d580cff2db366c0ad7

  • SSDEEP

    98304:osKfC9rzuhTeHp8TDaoWSW+mz3zBzTb0tgSD:08vA/WSKzJEj

Score
10/10
spynoteandroidbankercollectioncredential_accessdiscoveryevasionexecutionimpactpersistence

Malware Config

Extracted

Family

spynote

C2

www.biancfdaslkljdsfkw.shop:7772

Targets

    • Target

      826f773160d410911f1264d9ae18b257.zip

    • Size

      8.5MB

    • MD5

      826f773160d410911f1264d9ae18b257

    • SHA1

      052d5b51a2f8dc24b9e124dadd24e6eb229e9f9f

    • SHA256

      dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71

    • SHA512

      62a7805dc99c2c9541f7de7379db8a41207024098387e814206f29de503b5957ab18936be0d8bdfff9499a18c47914e399a698c10ff887d580cff2db366c0ad7

    • SSDEEP

      98304:osKfC9rzuhTeHp8TDaoWSW+mz3zBzTb0tgSD:08vA/WSKzJEj

    Score
    8/10
    bankercollectioncredential_accessdiscoveryevasionexecutionpersistenceimpact

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Checks CPU information

      Checks CPU information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

      evasiondiscovery

    • Checks the application is allowed to request package installs through the package installer

      Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

      evasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries the mobile country code (MCC)

      discovery

    • Reads the content of the SMS messages.

      collection

    • Reads the content of the call log.

      collection

    • Registers a broadcast receiver at runtime (usually for listening for system events)

      persistence

    • Acquires the wake lock

    • Checks if the internet connection is available

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Schedules tasks to execute at a specified time

      Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

      executionpersistence
    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix

Tasks