General

  • Target

    3a7ef9530ab94de1eb71b917a139294bfd5fa89040669f72449a6e8ab033a917

  • Size

    8.5MB

  • Sample

    240718-p98pfssgnb

  • MD5

    e82ce371454ae3f00ea931aa561a0a92

  • SHA1

    5606f77a3fe34a4b03ff30b2cb9b68a5bd123bcf

  • SHA256

    3a7ef9530ab94de1eb71b917a139294bfd5fa89040669f72449a6e8ab033a917

  • SHA512

    fed2bbaf76af7222117979d6517cbe1209b58bce4b60c7506df5711fcfdedf480baeb5e9afac89b7dd60a4968f3fd90eb87716d4d684c7d9d7a1e9966aa8a730

  • SSDEEP

    98304:x/U234amX8NiPwn47w0VtwIOmzLzBVTP0tQOi:x/Ua4FX8NiPwh0Vtw8zjAq

Malware Config

Extracted

Family

spynote

C2

sad121.ddns.net:7412

Targets

    • Target

      3a7ef9530ab94de1eb71b917a139294bfd5fa89040669f72449a6e8ab033a917

    • Size

      8.5MB

    • MD5

      e82ce371454ae3f00ea931aa561a0a92

    • SHA1

      5606f77a3fe34a4b03ff30b2cb9b68a5bd123bcf

    • SHA256

      3a7ef9530ab94de1eb71b917a139294bfd5fa89040669f72449a6e8ab033a917

    • SHA512

      fed2bbaf76af7222117979d6517cbe1209b58bce4b60c7506df5711fcfdedf480baeb5e9afac89b7dd60a4968f3fd90eb87716d4d684c7d9d7a1e9966aa8a730

    • SSDEEP

      98304:x/U234amX8NiPwn47w0VtwIOmzLzBVTP0tQOi:x/Ua4FX8NiPwh0Vtw8zjAq

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Reads the content of the SMS messages.

    • Reads the content of the call log.

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about active data network

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks