spynote | 7126d929d329e5f0fe69290814abbbf57ad2ff35d05de5ef00d0d4b053ac4686 | Triage

Sharing

General

Target

ready.apk
Size

5.5MB
Sample

241031-e4kqbszhkp
MD5

6c6e47e1a51e53eef22b9305abaaf392
SHA1

063fe806f986f5319a9ef4876cfefb59e2cd6f69
SHA256

7126d929d329e5f0fe69290814abbbf57ad2ff35d05de5ef00d0d4b053ac4686
SHA512

573eea6fa065a47ee686997276f69571fa96c86489cdb76e6d5e154a57feb805ec47f4fac9af52a1f8771cec7d7da69df50d05138a76adf3df1f6490b2d47754
SSDEEP

98304:L/wlsLSQoZEYK7S859Xt0yfbTfRTZ89Hwemz5zBYTq0tSYDB:L/wljQTYKR5xzXpTZj5zoJ9

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

109.107.182.213:7771

Targets

- Target
  
  ready.apk
- Size
  
  5.5MB
- MD5
  
  6c6e47e1a51e53eef22b9305abaaf392
- SHA1
  
  063fe806f986f5319a9ef4876cfefb59e2cd6f69
- SHA256
  
  7126d929d329e5f0fe69290814abbbf57ad2ff35d05de5ef00d0d4b053ac4686
- SHA512
  
  573eea6fa065a47ee686997276f69571fa96c86489cdb76e6d5e154a57feb805ec47f4fac9af52a1f8771cec7d7da69df50d05138a76adf3df1f6490b2d47754
- SSDEEP
  
  98304:L/wlsLSQoZEYK7S859Xt0yfbTfRTZ89Hwemz5zBYTq0tSYDB:L/wljQTYKR5xzXpTZj5zoJ9
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence