spynote | faaded24862023771812a156faca34da625f54ef1ed60250e67814f928ed8116 | Triage

Sharing

General

Target

9e567a34934a60cb8874bf1e525fe00b.bin
Size

3.5MB
Sample

241107-b3ek5sseqg
MD5

8b96b5d3f80f2304dbd6e6f067aed588
SHA1

a5093f076fcbec961af0ba9b641cf2e9d5d9efd0
SHA256

faaded24862023771812a156faca34da625f54ef1ed60250e67814f928ed8116
SHA512

3bcd79e3e003ebe683a6024d6c7d83e74cd403aa1a0a05ad6137ae3a01b93b3a44a2c75023c6277434bfafdbb165c265cdace6265dac2aba4c7de70ef0043707
SSDEEP

98304:vGO8+nBUo75FKfZUTwVE1yYrMDAtT39ThA7964+mG:1hK+ToExYD0OP+n

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Targets

- Target
  
  c7f1c45041e15266f830cbce16173b8215391162e18bbab0b07e336b1511f3f5.zip
- Size
  
  4.4MB
- MD5
  
  9e567a34934a60cb8874bf1e525fe00b
- SHA1
  
  d5f11cf62bed2ac2c4b9e60cad7c8011cb886a24
- SHA256
  
  c7f1c45041e15266f830cbce16173b8215391162e18bbab0b07e336b1511f3f5
- SHA512
  
  ef8f2f7fba2b6a6ca30de65ab7506d94902be8bcb56262a802289c05e698102dcf2e71629744b1a2f43cb21c024769d2f691fa0e8c3cb279834f02decfc202a6
- SSDEEP
  
  98304:WazBMT4mzE0V0tDVsQWtQ5xxUnoPlSq+hrOB1Mtgk:4HzERhlXxxOoPlN+hrA1Mtgk
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence