General
-
Target
c2a7d0ae4f95a2e2de81357948afad740f76c7a2fb7f77917316dd5d5f17d9ca.apk
-
Size
60.0MB
-
Sample
250214-elre6askfz
-
MD5
b0081c7a5101d0a2b6d9ad4df983bb29
-
SHA1
c2afd70af6cf2f2c185b1a0a5efe9fda6420f21b
-
SHA256
c2a7d0ae4f95a2e2de81357948afad740f76c7a2fb7f77917316dd5d5f17d9ca
-
SHA512
fd1b9513c22cee8d5413e520ffc597b230d61c705667f0f649083cc690b479ecbd440f6756f65e794788809d65c0052b7f91308ee44b0a405618307f338b3eea
-
SSDEEP
1572864:V8OBXNBCV8S11b3UZ/LK117L3GEXUoVlkaVhEv1hWEYqotjXw:V8cBCuS11bElKb7rHUmSaHE9hdl
Malware Config
Extracted
spynote
147.189.171.248:7771
Targets
-
-
Target
c2a7d0ae4f95a2e2de81357948afad740f76c7a2fb7f77917316dd5d5f17d9ca.apk
-
Size
60.0MB
-
MD5
b0081c7a5101d0a2b6d9ad4df983bb29
-
SHA1
c2afd70af6cf2f2c185b1a0a5efe9fda6420f21b
-
SHA256
c2a7d0ae4f95a2e2de81357948afad740f76c7a2fb7f77917316dd5d5f17d9ca
-
SHA512
fd1b9513c22cee8d5413e520ffc597b230d61c705667f0f649083cc690b479ecbd440f6756f65e794788809d65c0052b7f91308ee44b0a405618307f338b3eea
-
SSDEEP
1572864:V8OBXNBCV8S11b3UZ/LK117L3GEXUoVlkaVhEv1hWEYqotjXw:V8cBCuS11bElKb7rHUmSaHE9hdl
Score10/10-
Spynote
Spynote is a Remote Access Trojan first seen in 2017.
-
Spynote family
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1