spynote | 97cf6752734816208ff03eea523825bcfc7270d52d8c5f0f02951236885e0403 | Triage

Sharing

General

Target

97cf6752734816208ff03eea523825bcfc7270d52d8c5f0f02951236885e0403
Size

12.5MB
Sample

241111-njdkysskhr
MD5

42ad0ff73e0b4295a4ae2ca600b9e5fa
SHA1

7dd9260843bb1ee8613fc2eb913e776b4c0fcbb4
SHA256

97cf6752734816208ff03eea523825bcfc7270d52d8c5f0f02951236885e0403
SHA512

59efd73b3eb3ff2a17bf88b42575d142fd54c9eda6eb5316444efa14c1980991e11e1780ea3f71d082d5bef7ec74fe023d221ed962b083650ed9f4c6ffc766ee
SSDEEP

196608:mAgbdVg7aNmVAcIro36mugUFcs1Pohd2r7+2Lejjd/1dTWr2pRCYgY8:mAg5N8Atro78cskT2LijZHWipRFP8

Score

10^/10

spynote android collection credential_access evasion execution impact persistence

Malware Config

Extracted

Family

spynote

C2

103.74.105.194:7003

Targets

- Target
  
  97cf6752734816208ff03eea523825bcfc7270d52d8c5f0f02951236885e0403
- Size
  
  12.5MB
- MD5
  
  42ad0ff73e0b4295a4ae2ca600b9e5fa
- SHA1
  
  7dd9260843bb1ee8613fc2eb913e776b4c0fcbb4
- SHA256
  
  97cf6752734816208ff03eea523825bcfc7270d52d8c5f0f02951236885e0403
- SHA512
  
  59efd73b3eb3ff2a17bf88b42575d142fd54c9eda6eb5316444efa14c1980991e11e1780ea3f71d082d5bef7ec74fe023d221ed962b083650ed9f4c6ffc766ee
- SSDEEP
  
  196608:mAgbdVg7aNmVAcIro36mugUFcs1Pohd2r7+2Lejjd/1dTWr2pRCYgY8:mAg5N8Atro78cskT2LijZHWipRFP8
Score

7^/10

collection credential_access evasion execution impact persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests changing the default SMS application.
  collection impact
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Protected User Data

SMS Messages

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

SMS Control

Tasks

static1

behavioral1

collectioncredential_accessevasionexecutionimpactpersistence

behavioral2

collectioncredential_accessevasionexecutionpersistence

behavioral3

collectioncredential_accessevasionexecutionpersistence