spynote | 8469ec91f9058c03527dd55b2778864c5c11588ef2e1b7ba5938a4c3dacf7258 | Triage

Sharing

General

Target

8469ec91f9058c03527dd55b2778864c5c11588ef2e1b7ba5938a4c3dacf7258.apk
Size

3.7MB
Sample

241212-cz5htsxmet
MD5

d15d3744e57d220dd297896f4b93eaa4
SHA1

83ea1f9a07a0f923729d46d6e830831f6f41b3e2
SHA256

8469ec91f9058c03527dd55b2778864c5c11588ef2e1b7ba5938a4c3dacf7258
SHA512

18bcf0fe4dbd088b440d03f454b0a8bb10b10d23b3e3fb0581c6ceb028d8d369d4fec7aea9363dcf3f0160f36bc02b9f16f6a433f9728e35ff6a5cc08d5f39d7
SSDEEP

98304:CieaIXa6MQc+3cP6JEtUV2zmy6mz/zBbTP0twsRP8:CcIBc+06Jhe1z5AY

Score

10^/10

spynote android collection credential_access discovery evasion execution persistence

Malware Config

Extracted

Family

spynote

C2

185.148.241.158:7771

Targets

- Target
  
  8469ec91f9058c03527dd55b2778864c5c11588ef2e1b7ba5938a4c3dacf7258.apk
- Size
  
  3.7MB
- MD5
  
  d15d3744e57d220dd297896f4b93eaa4
- SHA1
  
  83ea1f9a07a0f923729d46d6e830831f6f41b3e2
- SHA256
  
  8469ec91f9058c03527dd55b2778864c5c11588ef2e1b7ba5938a4c3dacf7258
- SHA512
  
  18bcf0fe4dbd088b440d03f454b0a8bb10b10d23b3e3fb0581c6ceb028d8d369d4fec7aea9363dcf3f0160f36bc02b9f16f6a433f9728e35ff6a5cc08d5f39d7
- SSDEEP
  
  98304:CieaIXa6MQc+3cP6JEtUV2zmy6mz/zBbTP0twsRP8:CcIBc+06Jhe1z5AY
Score

7^/10

collection credential_access discovery evasion execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

System Network Connections Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

collectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral2

collectioncredential_accessdiscoveryevasionexecutionpersistence

behavioral3

collectioncredential_accessdiscoveryevasionexecutionpersistence