spynote | 33be0d70b080e48f4dfb63a0e36c81633cdd4c767ebcd462f1b1515f494a2e1c | Triage

Sharing

General

Target

33be0d70b080e48f4dfb63a0e36c81633cdd4c767ebcd462f1b1515f494a2e1c.zip
Size

1.9MB
Sample

241106-cwdkyaslgw
MD5

9136721b5fa07efb8f326eca03e7534e
SHA1

0c93e6264aa644347f4d1166a97139268b88c875
SHA256

33be0d70b080e48f4dfb63a0e36c81633cdd4c767ebcd462f1b1515f494a2e1c
SHA512

fae73b9431df9ba4d73b7a2e585e9c393e00e2d09f7faea42f0eda63397fa9ee9742cae78e5b075a576fc883fefd3c1718d7a20979ebea90bb9e697a2230430d
SSDEEP

12288:5GHQyuFIRTgMWb0hLeZ3ob5OuM5WrFFMK1YnU/:j3IRTgMWELeCb5OujMK1uU/

Score

10^/10

spynote android collection credential_access evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

192.168.1.36:8080

Extracted

Family

spynote

C2

192.168.1.36:8080

Targets

- Target
  
  33be0d70b080e48f4dfb63a0e36c81633cdd4c767ebcd462f1b1515f494a2e1c.zip
- Size
  
  1.9MB
- MD5
  
  9136721b5fa07efb8f326eca03e7534e
- SHA1
  
  0c93e6264aa644347f4d1166a97139268b88c875
- SHA256
  
  33be0d70b080e48f4dfb63a0e36c81633cdd4c767ebcd462f1b1515f494a2e1c
- SHA512
  
  fae73b9431df9ba4d73b7a2e585e9c393e00e2d09f7faea42f0eda63397fa9ee9742cae78e5b075a576fc883fefd3c1718d7a20979ebea90bb9e697a2230430d
- SSDEEP
  
  12288:5GHQyuFIRTgMWb0hLeZ3ob5OuM5WrFFMK1YnU/:j3IRTgMWELeCb5OujMK1uU/
Score

8^/10

collection credential_access evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral2

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral3

collectioncredential_accessevasionexecutionpersistencestealthtrojan