spynote | f1eb7a3036e4cb88fcbdb2f7fb1e05b182a67929f627e564c5ab9b985c622326 | Triage

Sharing

General

Target

blablacar.apk
Size

3.7MB
Sample

250115-nxvrds1qgy
MD5

16addca57f186937fabd839bf9e0d323
SHA1

b4d102b28fd7d588c4e199a2993bda8dca4c4a28
SHA256

f1eb7a3036e4cb88fcbdb2f7fb1e05b182a67929f627e564c5ab9b985c622326
SHA512

f2a8e99f1a1776636115216e07c348a6c6e8e51e59145de669bc9cb2d9bfc31a6453c07d152f8ea156b03689dbc45f2eb9a793b518751afceb2b8c7a1defd372
SSDEEP

49152:+yYqbAzdGGsQTOT0cgOmztQAUCvwZ7Sj5wdHl9EUkGz23VzZR21szek5ICCngR:vAzBLTC0tOmzzYO5UHgUkGKgUI2

Score

10^/10

spynote android banker collection credential_access discovery evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

176.9.160.98:7771

Targets

- Target
  
  blablacar.apk
- Size
  
  3.7MB
- MD5
  
  16addca57f186937fabd839bf9e0d323
- SHA1
  
  b4d102b28fd7d588c4e199a2993bda8dca4c4a28
- SHA256
  
  f1eb7a3036e4cb88fcbdb2f7fb1e05b182a67929f627e564c5ab9b985c622326
- SHA512
  
  f2a8e99f1a1776636115216e07c348a6c6e8e51e59145de669bc9cb2d9bfc31a6453c07d152f8ea156b03689dbc45f2eb9a793b518751afceb2b8c7a1defd372
- SSDEEP
  
  49152:+yYqbAzdGGsQTOT0cgOmztQAUCvwZ7Sj5wdHl9EUkGz23VzZR21szek5ICCngR:vAzBLTC0tOmzzYO5UHgUkGKgUI2
Score

8^/10

banker collection credential_access discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral2

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

behavioral3

bankercollectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan