spynote | d8438b05118a01791311dcadd84d429191a9975f9afa8310a4a92ade5a2bc4d2

General

Target

d8438b05118a01791311dcadd84d429191a9975f9afa8310a4a92ade5a2bc4d2.apk
Size

5.4MB
Sample

241111-dld96a1eql
MD5

d87c5428d2ea1698309431f715227084
SHA1

4ba458a6671ab8830f0e1cb782de386cbc5e388a
SHA256

d8438b05118a01791311dcadd84d429191a9975f9afa8310a4a92ade5a2bc4d2
SHA512

c24dedb312049be82be6189ee638b2b354b16796944b82b7fc263d923b1afc7352658188e3e17f52f75b3caed85764c73c1f721eb7eeaeac6c4813da0aa6a7e7
SSDEEP

98304:aZBgLCrAZMbyDt4QjH2OFo2Ew+Y9883t9qdAY2EUXHbhbuZOf8eepoVP8BHq:Okkc4Qr2OFoZ+32A3ztuZOkeVPgHq

Score

10^/10

Malware Config

Extracted

Family

spynote

C2

91.214.78.18:7771

Targets

- Target
  
  d8438b05118a01791311dcadd84d429191a9975f9afa8310a4a92ade5a2bc4d2.apk
- Size
  
  5.4MB
- MD5
  
  d87c5428d2ea1698309431f715227084
- SHA1
  
  4ba458a6671ab8830f0e1cb782de386cbc5e388a
- SHA256
  
  d8438b05118a01791311dcadd84d429191a9975f9afa8310a4a92ade5a2bc4d2
- SHA512
  
  c24dedb312049be82be6189ee638b2b354b16796944b82b7fc263d923b1afc7352658188e3e17f52f75b3caed85764c73c1f721eb7eeaeac6c4813da0aa6a7e7
- SSDEEP
  
  98304:aZBgLCrAZMbyDt4QjH2OFo2Ew+Y9883t9qdAY2EUXHbhbuZOf8eepoVP8BHq:Okkc4Qr2OFoZ+32A3ztuZOkeVPgHq
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  lariska.apk
- Size
  
  3.6MB
- MD5
  
  05662dcd85b5a5bdb5e2f322938c723c
- SHA1
  
  3c6e0cfde33019c7fff44ac1fd696b817087004a
- SHA256
  
  f3df45ca4a6184785d56aeca18a3d05422171f962605c503da303209aad7cb8d
- SHA512
  
  342a67aa86670efeb8f8f3c882b7bcb1552b13df0bc41bdcf1cf817e888129f898639a3293c0bc11030ea55fb67132b1725363d298cbb77326e4e33e2b0452c4
- SSDEEP
  
  49152:bqYquuzdGGpQTOs0cgrmzE80UtDUTWh8+VzL6aueqN9eU6OeSnBSv/he1/W9X2f:TuzBmTZ0trmzYiiWLdq8SnovZX2f
Score

8^/10

banker collection credential_access discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral4 behavioral5 behavioral6