General

  • Target

    Zoom.apk

  • Size

    8.5MB

  • Sample

    241119-qzkqbaxdnk

  • MD5

    455353e1db3c8b05b7de3e5554117147

  • SHA1

    a25c0536ccbb3409f0b8e00779b93e8f83c9e151

  • SHA256

    fd948ea17227838530868c85af562df89b867865486dfb2f5ea8d260a3349367

  • SHA512

    f0e42915093a9ea4e61dae91278e516327fc0495d488741e3d079dda63233b18b78600f62286e0be288d28ffa1c34deefca7329ada53c46c21998ccadf62ae29

  • SSDEEP

    98304:iGzBR5TA0tnmzlamXfAgg9YGtZCsIXxYQus:RhrmzLYggTjCsIXxYls

Malware Config

Extracted

Family

spynote

C2

87.120.117.136:7771

Targets

    • Target

      Zoom.apk

    • Size

      8.5MB

    • MD5

      455353e1db3c8b05b7de3e5554117147

    • SHA1

      a25c0536ccbb3409f0b8e00779b93e8f83c9e151

    • SHA256

      fd948ea17227838530868c85af562df89b867865486dfb2f5ea8d260a3349367

    • SHA512

      f0e42915093a9ea4e61dae91278e516327fc0495d488741e3d079dda63233b18b78600f62286e0be288d28ffa1c34deefca7329ada53c46c21998ccadf62ae29

    • SSDEEP

      98304:iGzBR5TA0tnmzlamXfAgg9YGtZCsIXxYQus:RhrmzLYggTjCsIXxYls

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks