spynote | c4ffcc636a0cd535ed86ae31c5311a9da7a0951f62b41f98d229d680a8ba574d | Triage

Sharing

General

Target

c4ffcc636a0cd535ed86ae31c5311a9da7a0951f62b41f98d229d680a8ba574d
Size

15.7MB
Sample

250108-eajwyavmcr
MD5

e2251311fc8acf5de09952fc451a752e
SHA1

f2c651584be93d84f7ea66e2c2c5dc4ebcb1d058
SHA256

c4ffcc636a0cd535ed86ae31c5311a9da7a0951f62b41f98d229d680a8ba574d
SHA512

f31add99459b749071ae7e5e940ac3e440aae5f17dfa335ffbae9f5ee00d434c7cd2448d94c74166a556fb503e56462541313c9861e41e6494dff37448088210
SSDEEP

24576:YoWgP6AWRuEjdpP4V9YeNkA1LJQX0qQxnh:lvYwPY09k0Xxh

Score

10^/10

spynote android collection credential_access evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

156.240.111.98:2251

Targets

- Target
  
  c4ffcc636a0cd535ed86ae31c5311a9da7a0951f62b41f98d229d680a8ba574d
- Size
  
  15.7MB
- MD5
  
  e2251311fc8acf5de09952fc451a752e
- SHA1
  
  f2c651584be93d84f7ea66e2c2c5dc4ebcb1d058
- SHA256
  
  c4ffcc636a0cd535ed86ae31c5311a9da7a0951f62b41f98d229d680a8ba574d
- SHA512
  
  f31add99459b749071ae7e5e940ac3e440aae5f17dfa335ffbae9f5ee00d434c7cd2448d94c74166a556fb503e56462541313c9861e41e6494dff37448088210
- SSDEEP
  
  24576:YoWgP6AWRuEjdpP4V9YeNkA1LJQX0qQxnh:lvYwPY09k0Xxh
Score

8^/10

collection credential_access evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral2

collectioncredential_accessevasionexecutionpersistencestealthtrojan

behavioral3

collectioncredential_accessevasionexecutionpersistencestealthtrojan