spynote | c6332488e93567ca53456647129e50f75f68c36b1a71d98007615ab8d24f83a6 | Triage

Sharing

General

Target

Phone-Poisk (4).apk
Size

3.7MB
Sample

241031-hxyv6avjeq
MD5

6f3afc9c0af9b67a7c15ff10f8fe48d0
SHA1

54e8b99dd99a6fc0b90bb79018697dac7ac33efb
SHA256

c6332488e93567ca53456647129e50f75f68c36b1a71d98007615ab8d24f83a6
SHA512

9237c10221ef0ed1b418d4418956d2b835648eff48de8686f2b3fe385d91833ecbbdad51aaeacee2011d2f1bf359498aade0bf1e66591ca355e2100da91ff025
SSDEEP

49152:c6Z0+SLA+opMCZymO9Ve+ge+ihVDamzDzdGGxQTOqVUBYqv0cg4cBrikoJS:c03p9ZyzEebvDamzDzBeTW0t4ciJS

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

193.233.254.67:7777

Targets

- Target
  
  Phone-Poisk (4).apk
- Size
  
  3.7MB
- MD5
  
  6f3afc9c0af9b67a7c15ff10f8fe48d0
- SHA1
  
  54e8b99dd99a6fc0b90bb79018697dac7ac33efb
- SHA256
  
  c6332488e93567ca53456647129e50f75f68c36b1a71d98007615ab8d24f83a6
- SHA512
  
  9237c10221ef0ed1b418d4418956d2b835648eff48de8686f2b3fe385d91833ecbbdad51aaeacee2011d2f1bf359498aade0bf1e66591ca355e2100da91ff025
- SSDEEP
  
  49152:c6Z0+SLA+opMCZymO9Ve+ge+ihVDamzDzdGGxQTOqVUBYqv0cg4cBrikoJS:c03p9ZyzEebvDamzDzBeTW0t4ciJS
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence