spynote | 5b4fa3c6c80e071c55defa741ae1d95e5d19566f1a8c8bc326f1c7cd85289416 | Triage

Sharing

General

Target

Vavada.apk
Size

3.8MB
Sample

241030-3pmhdavpfr
MD5

d83333cf8add0987d3b3e5ebb98ff12c
SHA1

41ded4b0f5efb4ccfbe34e6ca43a07fa39ec9a43
SHA256

5b4fa3c6c80e071c55defa741ae1d95e5d19566f1a8c8bc326f1c7cd85289416
SHA512

0d95e8a203a2c4f7c6a957e57d252a8773e15dae3a52e852e98cfab660d077b0f0774950cadc939d3ed1fbb8c4fb5ec5a9d99f09488d69fd6fb4f9a8bca55998
SSDEEP

49152:inFc7vtaOUX4O6R+AHmB81kUdc1wmzZzdGGpQTOT3UBYqu0cghQ9jikGK:2q7v4H4O58fCwmzZzBmTg0thQcK

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

109.107.182.213:7771

Targets

- Target
  
  Vavada.apk
- Size
  
  3.8MB
- MD5
  
  d83333cf8add0987d3b3e5ebb98ff12c
- SHA1
  
  41ded4b0f5efb4ccfbe34e6ca43a07fa39ec9a43
- SHA256
  
  5b4fa3c6c80e071c55defa741ae1d95e5d19566f1a8c8bc326f1c7cd85289416
- SHA512
  
  0d95e8a203a2c4f7c6a957e57d252a8773e15dae3a52e852e98cfab660d077b0f0774950cadc939d3ed1fbb8c4fb5ec5a9d99f09488d69fd6fb4f9a8bca55998
- SSDEEP
  
  49152:inFc7vtaOUX4O6R+AHmB81kUdc1wmzZzdGGpQTOT3UBYqu0cghQ9jikGK:2q7v4H4O58fCwmzZzBmTg0thQcK
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence