Overview

overview

10

Static

static

10

e4349991ce...dc.apk

android-9-x86

1

e4349991ce...dc.apk

android-10-x64

1

e4349991ce...dc.apk

android-11-x64

1

childapp.apk

android-9-x86

8

childapp.apk

android-10-x64

8

childapp.apk

android-11-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4349991ce0a2ed6e2f58e2243a6d5b3c7a795b1f6d2dcdf8817fea0e826aedc.apk

  • Size

    4.9MB

  • Sample

    240526-j3evxach86

  • MD5

    18fbdb35e4cd08b87c4a271241a39253

  • SHA1

    a421c7228f33c3587b06c4f0600534ca2fb77aaf

  • SHA256

    e4349991ce0a2ed6e2f58e2243a6d5b3c7a795b1f6d2dcdf8817fea0e826aedc

  • SHA512

    2be43d12480851e7301922714d99e9684b074e1e9f6ecb473da2ac1c795996ac53b8b3c056055ad645d8ca5ec2f5d87df00bac49b4ad294f66e797e7ee15d7f2

  • SSDEEP

    98304:P6boJR1LlqF8oeDRUtcX+KcmWG5r5z6PS7pOks476zxMsgKk6nI+Vst8nx:ib4bDppJ5rAPSwf5gVeIAst8x

Score
10/10
spynoteandroidbankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

Malware Config

Extracted

Family

spynote

C2

botuser0.duckdns.org:1337

Targets

    • Target

      e4349991ce0a2ed6e2f58e2243a6d5b3c7a795b1f6d2dcdf8817fea0e826aedc.apk

    • Size

      4.9MB

    • MD5

      18fbdb35e4cd08b87c4a271241a39253

    • SHA1

      a421c7228f33c3587b06c4f0600534ca2fb77aaf

    • SHA256

      e4349991ce0a2ed6e2f58e2243a6d5b3c7a795b1f6d2dcdf8817fea0e826aedc

    • SHA512

      2be43d12480851e7301922714d99e9684b074e1e9f6ecb473da2ac1c795996ac53b8b3c056055ad645d8ca5ec2f5d87df00bac49b4ad294f66e797e7ee15d7f2

    • SSDEEP

      98304:P6boJR1LlqF8oeDRUtcX+KcmWG5r5z6PS7pOks476zxMsgKk6nI+Vst8nx:ib4bDppJ5rAPSwf5gVeIAst8x

    Score
    1/10
    behavioral1behavioral2behavioral3

    • Target

      childapp.apk

    • Size

      18.3MB

    • MD5

      051916df0c9afa5bb89b4d4771f291f7

    • SHA1

      49fc19b18617e39f788b93846d679cfe4cc7963f

    • SHA256

      61ef15e9eccee437915a643c86e7f5049bcee9c439360a0a9cd4818adb98fb26

    • SHA512

      167bef68e5eb04f438d93a08e098ef1306d674ee252bd93a976732b4f1c1e8a036b9054ea2798052af57fc47315720753061f69f1280b76ec06349fe05a6f9c4

    • SSDEEP

      98304:+jwaGeWClCZmcsPS75miKq0T0Q797HmzzzBGTr0t4d:PaZCZwPSYiKq0gY0zgUy

    Score
    8/10
    bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Registers a broadcast receiver at runtime (usually for listening for system events)

      persistence

    • Acquires the wake lock

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Schedules tasks to execute at a specified time

      Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

      executionpersistence
    behavioral4behavioral5behavioral6

MITRE ATT&CK Matrix

Tasks