spynote | f25b3fa62def55078985aca0a15438375fd7f4d5fd2734ad79bf6b6b5fbda1ac | Triage

Sharing

General

Target

232a7faf28903b123af03257dbab51c4.bin
Size

3.7MB
Sample

241107-bglgkasdnm
MD5

4b0882d564eb05052ab355bcd7c7cb96
SHA1

aaaa3d0426836bca2a118058cc55caac1c2fae87
SHA256

f25b3fa62def55078985aca0a15438375fd7f4d5fd2734ad79bf6b6b5fbda1ac
SHA512

083ff8c5bc7bb2101a04878dcbbf39723b8259e03aae9e03ca7ff2dc9e2ce1d1d710d5f901dd1422b2abacf03aea4fd3f7c25edefe07325cbf2ab0ad3b87f1b8
SSDEEP

98304:TeG/PxSd6T6ygtEPYnyIhYH7E1PCm9hWdFWwLZJBxw5QggFdG:TeYPx066yclhYH7cPCKhWHdLZiX

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Targets

- Target
  
  41f9e34b6832c27c1121d8311840959a843a3c1b67e8464646841abd11b9d81c.zip
- Size
  
  4.6MB
- MD5
  
  232a7faf28903b123af03257dbab51c4
- SHA1
  
  fa7f91ec0a253d93033bee2e3f6dc698925b47cf
- SHA256
  
  41f9e34b6832c27c1121d8311840959a843a3c1b67e8464646841abd11b9d81c
- SHA512
  
  5796e760f6abde93e729f39d89b7ccd635ad0e345cee457e0cae21d1dc093e6dd0f6414ebcc8ee4e0568eaf08c648ecf0c74fe1d466a08bb2df7056ae3c1b263
- SSDEEP
  
  98304:gM1IyJxJldEGwocQNcRNEMemmzozB1T20t8mTq7P9RLk8:kyJddluQNcRNEMeRzq9F+Q8
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence