spynote | e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673 | Triage

Sharing

General

Target

e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673.zip
Size

8.5MB
Sample

241106-edvgvatgpf
MD5

ff748bdc4fcb780b1b70236b7d8bf539
SHA1

35e580c0e3c1859a8cad0fe61f02643b71d0194c
SHA256

e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673
SHA512

d8487c3a738e5d867c7d4e24607fe0cac2093fea09e218786bf95633a73854acc9aa8f8dc3a53d7c3e8ca077bbcb3869a7bc4c10c5305e14ae987d5ec029b393
SSDEEP

49152:km1m+8pMrS90PP+u5f1M8tlGKO5dtVd6QK3PP9Mzy/S7KmzHzdGGyQTOOZwUgYqz:vm+Qx2blgIQUX2zy/fmzHzBdTv0twj0

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

3.tcp.ngrok.io:23649

Targets

- Target
  
  e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673.zip
- Size
  
  8.5MB
- MD5
  
  ff748bdc4fcb780b1b70236b7d8bf539
- SHA1
  
  35e580c0e3c1859a8cad0fe61f02643b71d0194c
- SHA256
  
  e2da21729f6299aa0802d8338803b899373891c1f906c0522b8d385392503673
- SHA512
  
  d8487c3a738e5d867c7d4e24607fe0cac2093fea09e218786bf95633a73854acc9aa8f8dc3a53d7c3e8ca077bbcb3869a7bc4c10c5305e14ae987d5ec029b393
- SSDEEP
  
  49152:km1m+8pMrS90PP+u5f1M8tlGKO5dtVd6QK3PP9Mzy/S7KmzHzdGGyQTOOZwUgYqz:vm+Qx2blgIQUX2zy/fmzHzBdTv0twj0
Score

8^/10

banker collection credential_access discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Legitimate hosting services abused for malware hosting/C2
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan