spynote | 852cea014fdae474d9cd76cada3b0debb9340698bfff9f23a912109f5249bca9 | Triage

Resubmissions

08-01-2025 03:38

250108-d7eg2ssncy 10

Sharing

General

Target

852cea014fdae474d9cd76cada3b0debb9340698bfff9f23a912109f5249bca9
Size

18.7MB
Sample

250108-d7eg2ssncy
MD5

c1bd7281d679534ecd67d493177387fd
SHA1

7a6811fc5c0599d86b6b10ad6713175899d3eafb
SHA256

852cea014fdae474d9cd76cada3b0debb9340698bfff9f23a912109f5249bca9
SHA512

221b89a1be21e6d7f6de3eaecd18d094926852a1501d836a815b6b58583b579b69f285394b68103533ebabf93535ed47aa912ddcc75d4b7c4c134771ffc4dbaf
SSDEEP

12288:EHy4hnuZ9LFAyhT6mJLeWb3rjjoCkF3izP1rgU3QiUua4RqjA+dA2kpMUkAhuzYx:4y4wB0KbbjjoR3+d0U6uaolWcqW

Score

10^/10

spynote android collection credential_access evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

156.240.111.65:1151

Targets

- Target
  
  852cea014fdae474d9cd76cada3b0debb9340698bfff9f23a912109f5249bca9
- Size
  
  18.7MB
- MD5
  
  c1bd7281d679534ecd67d493177387fd
- SHA1
  
  7a6811fc5c0599d86b6b10ad6713175899d3eafb
- SHA256
  
  852cea014fdae474d9cd76cada3b0debb9340698bfff9f23a912109f5249bca9
- SHA512
  
  221b89a1be21e6d7f6de3eaecd18d094926852a1501d836a815b6b58583b579b69f285394b68103533ebabf93535ed47aa912ddcc75d4b7c4c134771ffc4dbaf
- SSDEEP
  
  12288:EHy4hnuZ9LFAyhT6mJLeWb3rjjoCkF3izP1rgU3QiUua4RqjA+dA2kpMUkAhuzYx:4y4wB0KbbjjoR3+d0U6uaolWcqW
Score

8^/10

collection credential_access evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral2

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral3

collectioncredential_accessevasionexecutionpersistencestealthtrojan