Overview

overview

10

Static

static

10

124eef513e...9e.apk

android-9-x86

10

124eef513e...9e.apk

android-10-x64

10

124eef513e...9e.apk

android-11-x64

10

kydek.apk

android-9-x86

7

kydek.apk

android-10-x64

7

kydek.apk

android-11-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    124eef513e5befa4e92ab7164f72ecd70e1ad68ff5ac3bfb962415e06094ed9e.bin

  • Size

    1.2MB

  • Sample

    241123-1yspmsvpbr

  • MD5

    499da09889ad99185018a4f054a4b8c7

  • SHA1

    7d8f0efab41d8a8386136d5dc8be9df7dee9084f

  • SHA256

    124eef513e5befa4e92ab7164f72ecd70e1ad68ff5ac3bfb962415e06094ed9e

  • SHA512

    7fb09b2056701d23bfb23f1d07498277bac09fbe1065f48bb8aee5096d6f80bf4f2dd70319741904c8b115c70d0df590b0ce11c0c671a311e7ca1e7bbbb6a580

  • SSDEEP

    24576:f4ARb/sxUQoC0HcXJ67N3a1a6eKDDvzRn2f7bIJWbaXpA:f4ARzBCVg79a1aiPvzgbIbA

Score
10/10
spynoteandroidbankerdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

spynote

C2

callrat-33839.portmap.host:33839

Targets

    • Target

      124eef513e5befa4e92ab7164f72ecd70e1ad68ff5ac3bfb962415e06094ed9e.bin

    • Size

      1.2MB

    • MD5

      499da09889ad99185018a4f054a4b8c7

    • SHA1

      7d8f0efab41d8a8386136d5dc8be9df7dee9084f

    • SHA256

      124eef513e5befa4e92ab7164f72ecd70e1ad68ff5ac3bfb962415e06094ed9e

    • SHA512

      7fb09b2056701d23bfb23f1d07498277bac09fbe1065f48bb8aee5096d6f80bf4f2dd70319741904c8b115c70d0df590b0ce11c0c671a311e7ca1e7bbbb6a580

    • SSDEEP

      24576:f4ARb/sxUQoC0HcXJ67N3a1a6eKDDvzRn2f7bIJWbaXpA:f4ARzBCVg79a1aiPvzgbIbA

    Score
    10/10
    spynotebankerdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationrattrojan

    • Spynote

      Spynote is a Remote Access Trojan first seen in 2017.

      bankertrojaninfostealerratspynote

    • Spynote family

      spynote

    • Spynote payload

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Declares broadcast receivers with permission to handle system events

    • Declares services with permission to bind to the system

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Requests dangerous framework permissions

    • Requests enabling of the accessibility settings.

    • Tries to add a device administrator.

      privilege_escalationimpact
    behavioral1behavioral2behavioral3

    • Target

      kydek

    • Size

      758KB

    • MD5

      07c8fd6b64f7684358faac2e62c84d07

    • SHA1

      4f206b9ed20ff698852750a96267e8a3ed77c56f

    • SHA256

      7e0522de4dd7e372e06e8e650c95d53002d446dcc38dafc3c47d03e40857797f

    • SHA512

      48269e258a0ffea1f24835982f1dea6b031cf7a2a72971a73a696d2526d9cdc837e2c05e2146f13aca9f08f5e9eea8c207b018688bb434fa6a129ea6988c9c77

    • SSDEEP

      12288:oJaBOa1a8Ldeg4Wr8R9IS5WmpYshXZPbGwidNpgwtB:Cha1a6egzr8R9IS5WmD9idNpBtB

    Score
    7/10
    bankerdiscoveryevasionimpactpersistenceprivilege_escalation

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Requests enabling of the accessibility settings.

    • Tries to add a device administrator.

      privilege_escalationimpact
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Tasks