spynote | fb1b1c472838bac85080d644782ffa23b63773a1c73927d8e3b7270f6d63549d | Triage

Sharing

General

Target

fb1b1c472838bac85080d644782ffa23b63773a1c73927d8e3b7270f6d63549d
Size

5.6MB
Sample

241203-tekrcsxncn
MD5

91b5aea58d6c1a318cb130b584e33749
SHA1

8a5ba4622f1c7af069aaba48beeb5556ca2ee354
SHA256

fb1b1c472838bac85080d644782ffa23b63773a1c73927d8e3b7270f6d63549d
SHA512

78406defdbff2586e0e26d556d1108247762c2bd00c5563c985e049e52ec24d07a5f91fac9ca5f94cd2a0fb6a03bdbb2e0c3fa9129cf1ab7f31a8452c5e666fd
SSDEEP

98304:McjMPjzBDTW0tPmzyDKWs6VL24uRPG0JZtYoz61TVDJzDHtkIbvZS+BRGT:ZjG1dezyOWXL24uRXtYauRDJzDPZS+bC

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

ho1hm2.ddns.net:44414

Targets

- Target
  
  fb1b1c472838bac85080d644782ffa23b63773a1c73927d8e3b7270f6d63549d
- Size
  
  5.6MB
- MD5
  
  91b5aea58d6c1a318cb130b584e33749
- SHA1
  
  8a5ba4622f1c7af069aaba48beeb5556ca2ee354
- SHA256
  
  fb1b1c472838bac85080d644782ffa23b63773a1c73927d8e3b7270f6d63549d
- SHA512
  
  78406defdbff2586e0e26d556d1108247762c2bd00c5563c985e049e52ec24d07a5f91fac9ca5f94cd2a0fb6a03bdbb2e0c3fa9129cf1ab7f31a8452c5e666fd
- SSDEEP
  
  98304:McjMPjzBDTW0tPmzyDKWs6VL24uRPG0JZtYoz61TVDJzDHtkIbvZS+BRGT:ZjG1dezyOWXL24uRXtYauRDJzDPZS+bC
Score

7^/10

banker collection credential_access discovery evasion execution persistence
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Hide Artifacts

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistence