spynote | b7205fb5cfc57da26fa7dab3b16ffa49ee3b689090c6fb2c8fb6a14fd4a2ab98

General

Target

LoveCom.apk
Size

5.2MB
Sample

241007-pzsv9awcpq
MD5

e170d0c9630ae999229a1b4ede4abc9f
SHA1

b9cfa596a5e3530820631be7c5b0dc0f5f27178e
SHA256

b7205fb5cfc57da26fa7dab3b16ffa49ee3b689090c6fb2c8fb6a14fd4a2ab98
SHA512

a0a93e80417185932fa4a3ed2d5d712a17049a6eb0a016df02dec1b8345a715658e323aba02da851b3f640783e1be8b402d127eda28cd7dcd24ce84511bf0957
SSDEEP

98304:UBgLCrAWUpyDAm2fFnA2CfqbXb5m0Amppdpp8a1960Wv16t0o8xakik8ti1M:UPCVm2dn5Oqrtm0Amp7/8aD6v16tT8x2

Score

10^/10

Malware Config

Extracted

Family

spynote

C2

193.233.254.104:7771

Targets

- Target
  
  LoveCom.apk
- Size
  
  5.2MB
- MD5
  
  e170d0c9630ae999229a1b4ede4abc9f
- SHA1
  
  b9cfa596a5e3530820631be7c5b0dc0f5f27178e
- SHA256
  
  b7205fb5cfc57da26fa7dab3b16ffa49ee3b689090c6fb2c8fb6a14fd4a2ab98
- SHA512
  
  a0a93e80417185932fa4a3ed2d5d712a17049a6eb0a016df02dec1b8345a715658e323aba02da851b3f640783e1be8b402d127eda28cd7dcd24ce84511bf0957
- SSDEEP
  
  98304:UBgLCrAWUpyDAm2fFnA2CfqbXb5m0Amppdpp8a1960Wv16t0o8xakik8ti1M:UPCVm2dn5Oqrtm0Amp7/8aD6v16tT8x2
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  blablacar.apk
- Size
  
  3.7MB
- MD5
  
  0aeac72a0563cb858d78246a64100546
- SHA1
  
  e0830a86f0652cea83eea4f7129716bc5c5791ee
- SHA256
  
  f944d18af4d0e5787f3400e4f15142064e3ce4fcdd153ac35d6985d553cbf73f
- SHA512
  
  d634c80c64539b9de41114303dc434da298e99910e6429622a093cb986f80085deb19d55106ba85640ef1be97d5c3f12b1307e5c90a814427e042fce8b4b9825
- SSDEEP
  
  98304:gC0zBuT/mzAlz0tJQdYm19DWSOMicOXObQ4:ZuzA+Vm1cSOtZ2Q4
Score

8^/10

banker collection credential_access discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral4 behavioral5 behavioral6