spynote | eed200e27810e20e0d9320a5510005b7f22a7fa432a1d10b921d322ccda0d67e | Triage

Sharing

General

Target

eed200e27810e20e0d9320a5510005b7f22a7fa432a1d10b921d322ccda0d67e.bin
Size

760KB
Sample

250121-1w33latlhk
MD5

4bc2e7b96129e42cc2c5eec037d692ce
SHA1

be161d9211d0e71b163d8ff64d0100812b6dede9
SHA256

eed200e27810e20e0d9320a5510005b7f22a7fa432a1d10b921d322ccda0d67e
SHA512

58efe2963213aa73d617d8c7efcb473e6ad75a86621cab85ff325159fbd40e2d5a292ed13d9f9e0bb68f9d5b75826f21030859f50eb7c8103a47ae5c80906ba1
SSDEEP

12288:FRV695jja1a8LdePvL3Dg8m5WmpYshXZPbGwidNpgN3:F36Ha1a6ePjDg8m5WmD9idNpm

Score

10^/10

spynote android banker defense_evasion discovery impact persistence privilege_escalation

Malware Config

Extracted

Family

spynote

C2

0.tcp.ngrok.io:14051

Targets

- Target
  
  eed200e27810e20e0d9320a5510005b7f22a7fa432a1d10b921d322ccda0d67e.bin
- Size
  
  760KB
- MD5
  
  4bc2e7b96129e42cc2c5eec037d692ce
- SHA1
  
  be161d9211d0e71b163d8ff64d0100812b6dede9
- SHA256
  
  eed200e27810e20e0d9320a5510005b7f22a7fa432a1d10b921d322ccda0d67e
- SHA512
  
  58efe2963213aa73d617d8c7efcb473e6ad75a86621cab85ff325159fbd40e2d5a292ed13d9f9e0bb68f9d5b75826f21030859f50eb7c8103a47ae5c80906ba1
- SSDEEP
  
  12288:FRV695jja1a8LdePvL3Dg8m5WmpYshXZPbGwidNpgN3:F36Ha1a6ePjDg8m5WmD9idNpm
Score

7^/10

banker defense_evasion discovery impact persistence privilege_escalation
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Legitimate hosting services abused for malware hosting/C2
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Requests enabling of the accessibility settings.
- Tries to add a device administrator.
  privilege_escalation impact
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Device Administrator Permissions

Defense Evasion

Foreground Persistence

Credential Access

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Account Access Removal

Tasks

static1

behavioral1

bankerdefense_evasiondiscoveryimpactpersistenceprivilege_escalation

behavioral2

bankerdiscovery

behavioral3

bankerdefense_evasiondiscoveryimpactpersistenceprivilege_escalation