smsworm | c339be84525251b3ffb5d9f0ae55345d165369d9574546638b475ed60f720a7b | Triage

Sharing

General

Target

Headshot GFX Tool and Sensitivity settings Guide_1.0_APKPure.apk
Size

13.2MB
Sample

240702-abvmlssajj
MD5

821cf63752c8df3b340c6189aff29a40
SHA1

6d1f4b1df5450a61bbffafe22791d4914feab20c
SHA256

c339be84525251b3ffb5d9f0ae55345d165369d9574546638b475ed60f720a7b
SHA512

b720d018fe2aaff07038d360587e9e9bde14459bc3f55ea6f6ae4f4dec7d57fbd13dca43ee1db0a906748c06878c3289aa1d46313e98d3de7f8f9df4c2ebce8a
SSDEEP

196608:VXfcrsrI8htlaOhSMHO+LeKe95/023Xzni2gNLabEVV1DlM8wn51jQE06aWNYa:VgsrDIAFwj/0ODZgNLUKLDWjRaWZ

Score

10^/10

smsworm spynote android collection credential_access discovery evasion execution impact persistence

Malware Config

Extracted

Family

spynote

C2

people-climbing.gl.at.ply.gg:54251

austin22-62046.portmap.host:62046

Targets

- Target
  
  Headshot GFX Tool and Sensitivity settings Guide_1.0_APKPure.apk
- Size
  
  13.2MB
- MD5
  
  821cf63752c8df3b340c6189aff29a40
- SHA1
  
  6d1f4b1df5450a61bbffafe22791d4914feab20c
- SHA256
  
  c339be84525251b3ffb5d9f0ae55345d165369d9574546638b475ed60f720a7b
- SHA512
  
  b720d018fe2aaff07038d360587e9e9bde14459bc3f55ea6f6ae4f4dec7d57fbd13dca43ee1db0a906748c06878c3289aa1d46313e98d3de7f8f9df4c2ebce8a
- SSDEEP
  
  196608:VXfcrsrI8htlaOhSMHO+LeKe95/023Xzni2gNLabEVV1DlM8wn51jQE06aWNYa:VgsrDIAFwj/0ODZgNLUKLDWjRaWZ
Score

8^/10

discovery evasion execution impact persistence collection credential_access
- Checks if the Android device is rooted.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries information about running processes on the device
  Application may abuse the framework's APIs to collect information about running processes on the device.
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about active data network
  discovery
- Queries the mobile country code (MCC)
  discovery
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Tasks

static1

behavioral1

discoveryevasionexecutionimpactpersistence

behavioral2

collectioncredential_accessdiscoveryevasionexecutionimpactpersistence