General

  • Target

    ready.apk

  • Size

    5.5MB

  • Sample

    240812-a6b4raxcrm

  • MD5

    eac3371ec48ce6e259cd1fd730f73e50

  • SHA1

    13769a293b3e6e2104f8bedf5ac48fb3ad33697d

  • SHA256

    78c3943f8a50613b046677701acf085182f9d7d40b77bbff8895164dd5b2197b

  • SHA512

    70dc9ea5497648f456f9b3e026756ce36902c7ff35094264ac995c51f5d617bb683a2aaf8176fab931253142138c289f0a3431f929af6832b88986bb3fda2b12

  • SSDEEP

    98304:D9HIUfF7snAiTP+2xMC9YHSd8fEogmzxzBfTe0tt96B:ZHdfItTjMC+ydMhfzHFW

Malware Config

Extracted

Family

spynote

C2

asdf123456789-32519.portmap.host:32519

Targets

    • Target

      ready.apk

    • Size

      5.5MB

    • MD5

      eac3371ec48ce6e259cd1fd730f73e50

    • SHA1

      13769a293b3e6e2104f8bedf5ac48fb3ad33697d

    • SHA256

      78c3943f8a50613b046677701acf085182f9d7d40b77bbff8895164dd5b2197b

    • SHA512

      70dc9ea5497648f456f9b3e026756ce36902c7ff35094264ac995c51f5d617bb683a2aaf8176fab931253142138c289f0a3431f929af6832b88986bb3fda2b12

    • SSDEEP

      98304:D9HIUfF7snAiTP+2xMC9YHSd8fEogmzxzBfTe0tt96B:ZHdfItTjMC+ydMhfzHFW

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Acquires the wake lock

    • Checks the application is allowed to request package installs through the package installer

      Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about active data network

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

MITRE ATT&CK Mobile v15

Tasks