Overview

overview

10

Static

static

10

8d0d5320c9...a5.apk

android-9-x86

1

8d0d5320c9...a5.apk

android-10-x64

1

8d0d5320c9...a5.apk

android-11-x64

1

childapp.apk

android-9-x86

8

childapp.apk

android-10-x64

8

childapp.apk

android-11-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d0d5320c9016316de26412f32bb92a988e9c967ed83bae0b2de36d5b953e0a5.zip

  • Size

    12.1MB

  • Sample

    241106-dlm73asqbz

  • MD5

    f0b5a0a0437867b234da31dcb57b511a

  • SHA1

    a1ed48017766c9581ecbb9682ac87db0f25382a8

  • SHA256

    8d0d5320c9016316de26412f32bb92a988e9c967ed83bae0b2de36d5b953e0a5

  • SHA512

    71dd8465c8f56bfa0cfa58502fc6e1d3d519a53a4f99600f72b410a4cf881ebc892ca550032b5523115cfd2e00bb0b63ec4861781b6fde43606232e2378ba0f4

  • SSDEEP

    98304:gm+Qx2blgIQUX2zy/fmzHzBdTv0twjkjyDPV+L43l1LD/VOFFYRs4GKvuNKXctPQ:94bQs2zy2zjgSslGP2bryiK4Q

Score
10/10
spynoteandroidbankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

Malware Config

Extracted

Family

spynote

C2

3.tcp.ngrok.io:23649

Targets

    • Target

      8d0d5320c9016316de26412f32bb92a988e9c967ed83bae0b2de36d5b953e0a5.zip

    • Size

      12.1MB

    • MD5

      f0b5a0a0437867b234da31dcb57b511a

    • SHA1

      a1ed48017766c9581ecbb9682ac87db0f25382a8

    • SHA256

      8d0d5320c9016316de26412f32bb92a988e9c967ed83bae0b2de36d5b953e0a5

    • SHA512

      71dd8465c8f56bfa0cfa58502fc6e1d3d519a53a4f99600f72b410a4cf881ebc892ca550032b5523115cfd2e00bb0b63ec4861781b6fde43606232e2378ba0f4

    • SSDEEP

      98304:gm+Qx2blgIQUX2zy/fmzHzBdTv0twjkjyDPV+L43l1LD/VOFFYRs4GKvuNKXctPQ:94bQs2zy2zjgSslGP2bryiK4Q

    Score
    1/10
    behavioral1behavioral2behavioral3

    • Target

      childapp.apk

    • Size

      8.5MB

    • MD5

      ff748bdc4fcb780b1b70236b7d8bf539

    • SHA1

      35e580c0e3c1859a8cad0fe61f02643b71d0194c

    • SHA256

      e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673

    • SHA512

      d8487c3a738e5d867c7d4e24607fe0cac2093fea09e218786bf95633a73854acc9aa8f8dc3a53d7c3e8ca077bbcb3869a7bc4c10c5305e14ae987d5ec029b393

    • SSDEEP

      49152:km1m+8pMrS90PP+u5f1M8tlGKO5dtVd6QK3PP9Mzy/S7KmzHzdGGyQTOOZwUgYqz:vm+Qx2blgIQUX2zy/fmzHzBdTv0twj0

    Score
    8/10
    bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Acquires the wake lock

    • Legitimate hosting services abused for malware hosting/C2

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Tasks