spynote | 4b01ec065b4cd922e567193200bbaf1f22cf55a29a9d770e645a01e266e1b04f | Triage

Sharing

General

Target

ready.apk
Size

30.0MB
Sample

241023-skmx8sydnm
MD5

fe30c5244d8c0dcd120bad0ae5a5a6fe
SHA1

baffcc6ef4f1888b16a6c0c1d88814bd048a77e6
SHA256

4b01ec065b4cd922e567193200bbaf1f22cf55a29a9d770e645a01e266e1b04f
SHA512

6bf6562dadfe963aac6f76723d7afa9361c9261d7522d891905f5d759243881390757ccf956bbdf81212d2d8f1f1ef8443c2f8a179803b8ce56959ec749ac717
SSDEEP

12288:tw6ngF8WhKT8IizVJ7VulZMPh585XNLusT3cgtN0F346Rq21hg0QtWDrQd:U8WhK5ipcZMPh5OLHT3SF34GNSKrI

Score

10^/10

spynote android collection credential_access discovery evasion execution impact persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

192.168.1.2:7771

Extracted

Family

spynote

C2

192.168.1.2:7771

Targets

- Target
  
  ready.apk
- Size
  
  30.0MB
- MD5
  
  fe30c5244d8c0dcd120bad0ae5a5a6fe
- SHA1
  
  baffcc6ef4f1888b16a6c0c1d88814bd048a77e6
- SHA256
  
  4b01ec065b4cd922e567193200bbaf1f22cf55a29a9d770e645a01e266e1b04f
- SHA512
  
  6bf6562dadfe963aac6f76723d7afa9361c9261d7522d891905f5d759243881390757ccf956bbdf81212d2d8f1f1ef8443c2f8a179803b8ce56959ec749ac717
- SSDEEP
  
  12288:tw6ngF8WhKT8IizVJ7VulZMPh585XNLusT3cgtN0F346Rq21hg0QtWDrQd:U8WhK5ipcZMPh5OLHT3SF34GNSKrI
Score

8^/10

collection credential_access discovery evasion execution persistence stealth trojan impact
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Tasks

static1

behavioral1

collectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral2

collectioncredential_accessdiscoveryevasionexecutionimpactpersistencestealthtrojan

behavioral3

collectioncredential_accessevasionexecutionimpactpersistencestealthtrojan