spynote | 1ac99cb814584d00805ab124bfec1931a97ee3d583aa08daf4ac80cdc97f43d9 | Triage

Sharing

General

Target

Predator (3).apk
Size

3.7MB
Sample

241119-ddx3asvjfn
MD5

6c8f7d51050f8bb76a1ff46dd3f07f0d
SHA1

384775c5a2faa236bb137fefe5549698cb08ea17
SHA256

1ac99cb814584d00805ab124bfec1931a97ee3d583aa08daf4ac80cdc97f43d9
SHA512

083be9d4fc53989ef77ef512561f34724085e1558b64523a5b5f9c9e3ca99f19c0ca821897b029bbc95708a0fcbfb3c359356019a6bdca2f185919501d599b97
SSDEEP

49152:7GAEhhrlkZLGtKzbWRn5RZrzMJ9Sg+ymzLzdGGvQTOujU7Yq50cgMvH4L3yTMgI7:7dUeLdzbWVp/CV+ymzLzBITa0tMvpq

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

5.42.92.97:7771

Targets

- Target
  
  Predator (3).apk
- Size
  
  3.7MB
- MD5
  
  6c8f7d51050f8bb76a1ff46dd3f07f0d
- SHA1
  
  384775c5a2faa236bb137fefe5549698cb08ea17
- SHA256
  
  1ac99cb814584d00805ab124bfec1931a97ee3d583aa08daf4ac80cdc97f43d9
- SHA512
  
  083be9d4fc53989ef77ef512561f34724085e1558b64523a5b5f9c9e3ca99f19c0ca821897b029bbc95708a0fcbfb3c359356019a6bdca2f185919501d599b97
- SSDEEP
  
  49152:7GAEhhrlkZLGtKzbWRn5RZrzMJ9Sg+ymzLzdGGvQTOujU7Yq50cgMvH4L3yTMgI7:7dUeLdzbWVp/CV+ymzLzBITa0tMvpq
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence