General

  • Target

    ready.apk

  • Size

    5.5MB

  • Sample

    240811-sh2nlsvcnp

  • MD5

    eac3371ec48ce6e259cd1fd730f73e50

  • SHA1

    13769a293b3e6e2104f8bedf5ac48fb3ad33697d

  • SHA256

    78c3943f8a50613b046677701acf085182f9d7d40b77bbff8895164dd5b2197b

  • SHA512

    70dc9ea5497648f456f9b3e026756ce36902c7ff35094264ac995c51f5d617bb683a2aaf8176fab931253142138c289f0a3431f929af6832b88986bb3fda2b12

  • SSDEEP

    98304:D9HIUfF7snAiTP+2xMC9YHSd8fEogmzxzBfTe0tt96B:ZHdfItTjMC+ydMhfzHFW

Malware Config

Extracted

Family

spynote

C2

asdf123456789-32519.portmap.host:32519

Targets

    • Target

      ready.apk

    • Size

      5.5MB

    • MD5

      eac3371ec48ce6e259cd1fd730f73e50

    • SHA1

      13769a293b3e6e2104f8bedf5ac48fb3ad33697d

    • SHA256

      78c3943f8a50613b046677701acf085182f9d7d40b77bbff8895164dd5b2197b

    • SHA512

      70dc9ea5497648f456f9b3e026756ce36902c7ff35094264ac995c51f5d617bb683a2aaf8176fab931253142138c289f0a3431f929af6832b88986bb3fda2b12

    • SSDEEP

      98304:D9HIUfF7snAiTP+2xMC9YHSd8fEogmzxzBfTe0tt96B:ZHdfItTjMC+ydMhfzHFW

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Acquires the wake lock

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about active data network

    • Queries the mobile country code (MCC)

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Tasks