spynote | c33deb1d25b66f2471ca0a9fcd534a7d0c5f87cc103b2f9793615176c69aa71e | Triage

Sharing

General

Target

Poisk-Phone.apk
Size

3.7MB
Sample

241031-h2rbwatbjb
MD5

7e9837ebdbc8d7a06ae173464ef93c64
SHA1

a8a2bfc9193160024f283b95933d969505223a15
SHA256

c33deb1d25b66f2471ca0a9fcd534a7d0c5f87cc103b2f9793615176c69aa71e
SHA512

4f1401d24fc89e989fb38f9e103b0501538451e6e084c0e7c045d77d740172ed9bbf4289a6f2cc327d70043bb142aa513214d48247e9d551449d181125416420
SSDEEP

49152:6f89W2GOEzzrqIU543qhOEEIGDnbig+mzHzdGGEQTOTuU+Yq00cgwtx1dbik1MCt:73czXqIUuE8jGg+mzHzBTTY0twtrj

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

109.107.182.213:7771

Targets

- Target
  
  Poisk-Phone.apk
- Size
  
  3.7MB
- MD5
  
  7e9837ebdbc8d7a06ae173464ef93c64
- SHA1
  
  a8a2bfc9193160024f283b95933d969505223a15
- SHA256
  
  c33deb1d25b66f2471ca0a9fcd534a7d0c5f87cc103b2f9793615176c69aa71e
- SHA512
  
  4f1401d24fc89e989fb38f9e103b0501538451e6e084c0e7c045d77d740172ed9bbf4289a6f2cc327d70043bb142aa513214d48247e9d551449d181125416420
- SSDEEP
  
  49152:6f89W2GOEzzrqIU543qhOEEIGDnbig+mzHzdGGEQTOTuU+Yq00cgwtx1dbik1MCt:73czXqIUuE8jGg+mzHzBTTY0twtrj
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence