spynote | 25d12667dff1717f13ae0af59afae54e755e80767f23dbac3d28ddfbc49e2a7c | Triage

Sharing

General

Target

Phone_Poisk.apk
Size

3.8MB
Sample

241031-fsp2ca1dlp
MD5

6a3a11ec684162347a0aa58ffd9bb7f7
SHA1

f397f49a143480429c2453551f3d40376148e945
SHA256

25d12667dff1717f13ae0af59afae54e755e80767f23dbac3d28ddfbc49e2a7c
SHA512

bd36ab460fe281844c4b6664f00d3f5e60b700edd9ec71f19211a43476ea776884526843f31c1e9446585d0a8e16fd4ac74c17b0d6858a5e187ec1e6888bc83b
SSDEEP

49152:o9AThPaS87ajHUs7Rrmj7fNZlilzymzBzdGGsQTOtUUSYqW0cgZP1iik2uad1:o9aaGd7Rr2TlEzymzBzBLTu0tZPdXj

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

193.233.254.67:7777

Targets

- Target
  
  Phone_Poisk.apk
- Size
  
  3.8MB
- MD5
  
  6a3a11ec684162347a0aa58ffd9bb7f7
- SHA1
  
  f397f49a143480429c2453551f3d40376148e945
- SHA256
  
  25d12667dff1717f13ae0af59afae54e755e80767f23dbac3d28ddfbc49e2a7c
- SHA512
  
  bd36ab460fe281844c4b6664f00d3f5e60b700edd9ec71f19211a43476ea776884526843f31c1e9446585d0a8e16fd4ac74c17b0d6858a5e187ec1e6888bc83b
- SSDEEP
  
  49152:o9AThPaS87ajHUs7Rrmj7fNZlilzymzBzdGGsQTOtUUSYqW0cgZP1iik2uad1:o9aaGd7Rr2TlEzymzBzBLTu0tZPdXj
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence