spynote | cf8aa2879623a59edd582a86cc22dfa1a082d8854659a5c64134ca9c622a093d | Triage

Sharing

General

Target

cf8aa2879623a59edd582a86cc22dfa1a082d8854659a5c64134ca9c622a093d.zip
Size

4.6MB
Sample

241106-d8s2tsvcnm
MD5

74e0150f6ef4439751747cfe9517e366
SHA1

97de7ecf82670c8f882ffb442ae916d19b2bbc5c
SHA256

cf8aa2879623a59edd582a86cc22dfa1a082d8854659a5c64134ca9c622a093d
SHA512

7bf355ee1e17c34f277a74d513bb9f3250a4f43a0deb22bd89f15c36b424cbbc10ce61cfdb2029261bd847ced743f8eb353c58402951a4e65b3377d79e765eb6
SSDEEP

98304:2NwDuzBQTlmzf7UhX73k+8CfVALGIDNGfzqA0fe0tcvizrP+Kpc:2KIzTQT+0VACecfzqA0fFiKpc

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Targets

- Target
  
  cf8aa2879623a59edd582a86cc22dfa1a082d8854659a5c64134ca9c622a093d.zip
- Size
  
  4.6MB
- MD5
  
  74e0150f6ef4439751747cfe9517e366
- SHA1
  
  97de7ecf82670c8f882ffb442ae916d19b2bbc5c
- SHA256
  
  cf8aa2879623a59edd582a86cc22dfa1a082d8854659a5c64134ca9c622a093d
- SHA512
  
  7bf355ee1e17c34f277a74d513bb9f3250a4f43a0deb22bd89f15c36b424cbbc10ce61cfdb2029261bd847ced743f8eb353c58402951a4e65b3377d79e765eb6
- SSDEEP
  
  98304:2NwDuzBQTlmzf7UhX73k+8CfVALGIDNGfzqA0fe0tcvizrP+Kpc:2KIzTQT+0VACecfzqA0fFiKpc
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence