spynote | fd4a3fab4e5a4719fa9d9b0cf77977e1e2f088f6af3e8b4d080d7ac66c867832 | Triage

Sharing

General

Target

ready.apk
Size

8.5MB
Sample

241012-q4cv9stcrd
MD5

4f782dd1be4339e88bceffe8eca9095b
SHA1

6341fe31f6333bd6de397e849076f8b3626f514a
SHA256

fd4a3fab4e5a4719fa9d9b0cf77977e1e2f088f6af3e8b4d080d7ac66c867832
SHA512

dbfcc2d8f223143f85345e8857df4741094c0284bf578c6d12ef0c989967726ba8a871f4ce8a16759545ba249fb360a3cac62b8dce7c0b5a3de1cea2c734d282
SSDEEP

49152:gozLJtk2D6eKYPt4lP0UUxgxfbNtJihSBPm+NlPg07ZYmzXzdGGlQTOchU5YqT0/:go3qeKOmPzNtMkrPwmzXzBKT80tcI

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

147.185.221.22:21974

Targets

- Target
  
  ready.apk
- Size
  
  8.5MB
- MD5
  
  4f782dd1be4339e88bceffe8eca9095b
- SHA1
  
  6341fe31f6333bd6de397e849076f8b3626f514a
- SHA256
  
  fd4a3fab4e5a4719fa9d9b0cf77977e1e2f088f6af3e8b4d080d7ac66c867832
- SHA512
  
  dbfcc2d8f223143f85345e8857df4741094c0284bf578c6d12ef0c989967726ba8a871f4ce8a16759545ba249fb360a3cac62b8dce7c0b5a3de1cea2c734d282
- SSDEEP
  
  49152:gozLJtk2D6eKYPt4lP0UUxgxfbNtJihSBPm+NlPg07ZYmzXzdGGlQTOchU5YqT0/:go3qeKOmPzNtMkrPwmzXzBKT80tcI
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes a phone call.
  collection
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Call Control

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Call Control

Exfiltration

Impact

Call Control

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence