spynote

General

Target

Translate.apk
Size

11.6MB
Sample

240617-lwchbavhme
MD5

224b0bc609b3ae5226c66ce80ab882aa
SHA1

3aad911b21907053a69b49086a6396c50714accb
SHA256

197fc60029137c2da90914897d13c1b1af03391542f5b3fbac5cc5b8e8053a7e
SHA512

caa84f65cebc7429594f9e0239682476f7a29cec596a46d22699f5f9c6a594ebfceb682bcb2b204e29411f8773bca80f581099328a74c402cde9af2ea51ff18c
SSDEEP

196608:akAXX5HJwFmzIjgG0zwxBCc3E97gyNMwNXXeuzoyy/SbdTBm4f2hMYKZowfz6KKp:ak6JHKFmuf0zi3ENrNb+uty/SbChM+Dp

Score

10^/10

Malware Config

Extracted

Family

spynote

C2

kyabhai.duckdns.org:8080

Targets

- Target
  
  Translate.apk
- Size
  
  11.6MB
- MD5
  
  224b0bc609b3ae5226c66ce80ab882aa
- SHA1
  
  3aad911b21907053a69b49086a6396c50714accb
- SHA256
  
  197fc60029137c2da90914897d13c1b1af03391542f5b3fbac5cc5b8e8053a7e
- SHA512
  
  caa84f65cebc7429594f9e0239682476f7a29cec596a46d22699f5f9c6a594ebfceb682bcb2b204e29411f8773bca80f581099328a74c402cde9af2ea51ff18c
- SSDEEP
  
  196608:akAXX5HJwFmzIjgG0zwxBCc3E97gyNMwNXXeuzoyy/SbdTBm4f2hMYKZowfz6KKp:ak6JHKFmuf0zi3ENrNb+uty/SbChM+Dp
Score

7^/10

evasion impact persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
behavioral1 behavioral2 behavioral3
- Target
  
  childapp.apk
- Size
  
  5.9MB
- MD5
  
  4ba22114b4b4eabac35d708ceafda99b
- SHA1
  
  5ba11a42028fcb4a43aea514d5f4247a22a93dbb
- SHA256
  
  39d2d4af6ca442b175c40c0d608a8265dca4ab53e4859ad24789b23494bc8193
- SHA512
  
  035a98995ec48a92aad98de6d5e652a03487120e664e2f8932c61b6316532ad439fb4e8f7500fe0edbe508a374ce2d4861baff0dbf1ee69c851666c64f5c5659
- SSDEEP
  
  98304:9oMU1WRYSale8PkTGBD9xvgbHDHFIzmWAfaCsMul+hlX7/RatQOErR2qdD4SKG2H:mxSale8PfTBgzDq0iFMul6Atid8Xb1O+
Score

10^/10

spynote banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
- Spynote
  Spynote is a Remote Access Trojan first seen in 2017.
  banker trojan infostealer rat spynote
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral4 behavioral5 behavioral6