spynote | 991f7f8b9a7db8eadda1dc4bedeeb2f5b4eed0d419e0ed60df5b328b4d0d000f | Triage

Sharing

General

Target

991f7f8b9a7db8eadda1dc4bedeeb2f5b4eed0d419e0ed60df5b328b4d0d000f.bin
Size

844KB
Sample

250110-1wmqlssjgq
MD5

817ac8eb9105c855d5b8a3581df75b24
SHA1

7611c69c6247dfca9994ad3101f5698f1fcb4112
SHA256

991f7f8b9a7db8eadda1dc4bedeeb2f5b4eed0d419e0ed60df5b328b4d0d000f
SHA512

1f9df99c48a2810cfe5f64868e9c872e26f67e4eec7312362ab3b5026fe33fd74f7782c3d7e8d3763b090dc2f08b5e2faf30528ff733fb8db4c74e9fb1bd1531
SSDEEP

12288:+fDGuGa1a8Lze2iw7zZ52SI7Ws6/795WmpYshXZPbGwidNpgXp:+6uGa1ame2xZQSISz/795WmD9idNpu

Score

10^/10

spynote android banker discovery evasion impact persistence privilege_escalation

Malware Config

Extracted

Family

spynote

C2

helkaka-51809.portmap.host:51809

Targets

- Target
  
  991f7f8b9a7db8eadda1dc4bedeeb2f5b4eed0d419e0ed60df5b328b4d0d000f.bin
- Size
  
  844KB
- MD5
  
  817ac8eb9105c855d5b8a3581df75b24
- SHA1
  
  7611c69c6247dfca9994ad3101f5698f1fcb4112
- SHA256
  
  991f7f8b9a7db8eadda1dc4bedeeb2f5b4eed0d419e0ed60df5b328b4d0d000f
- SHA512
  
  1f9df99c48a2810cfe5f64868e9c872e26f67e4eec7312362ab3b5026fe33fd74f7782c3d7e8d3763b090dc2f08b5e2faf30528ff733fb8db4c74e9fb1bd1531
- SSDEEP
  
  12288:+fDGuGa1a8Lze2iw7zZ52SI7Ws6/795WmpYshXZPbGwidNpgXp:+6uGa1ame2xZQSISz/795WmD9idNpu
Score

7^/10

banker discovery evasion impact persistence privilege_escalation
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests enabling of the accessibility settings.
- Tries to add a device administrator.
  privilege_escalation impact
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Device Administrator Permissions

Defense Evasion

Foreground Persistence

Credential Access

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Account Access Removal

Tasks

static1

behavioral1

bankerdiscoveryevasionimpactpersistenceprivilege_escalation

behavioral2

bankerdiscoveryevasionpersistence

behavioral3

bankerdiscoveryevasionimpactpersistenceprivilege_escalation