spynote | 54ab5879b262885c013643d8214d59b589faa416259271fe97fe55231e36bcc8 | Triage

Resubmissions

19-02-2025 01:32

250219-bxyrtstnbj 10

19-02-2025 01:00

250219-bcrg1stjct 10

Sharing

General

Target

ready.apk
Size

6.2MB
Sample

250219-bcrg1stjct
MD5

0033771068ee4d623e59d5118a13ca6a
SHA1

1627f51d7730a6743bd772a6e6cc017e98a909e0
SHA256

54ab5879b262885c013643d8214d59b589faa416259271fe97fe55231e36bcc8
SHA512

19b313afec70252c085c878d07c09aaa5a2bb8210c68a12814d86ad5832bb2b934d21ce61a7de567f292a847fd72b41b0fdce17bfdcdefe231922b620622f62b
SSDEEP

12288:74a+AXd36mP0X7K23K/iI6+zE8Wsij3L6EkgYdTL7rDJvph22tiVPnToCDleWmKJ:L+Ad36m8e2wiAzJhT5jtsPnkCDYWmScY

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery evasion execution persistence stealth trojan

Malware Config

Extracted

Family

spynote

C2

83.38.24.1:1603

Targets

- Target
  
  ready.apk
- Size
  
  6.2MB
- MD5
  
  0033771068ee4d623e59d5118a13ca6a
- SHA1
  
  1627f51d7730a6743bd772a6e6cc017e98a909e0
- SHA256
  
  54ab5879b262885c013643d8214d59b589faa416259271fe97fe55231e36bcc8
- SHA512
  
  19b313afec70252c085c878d07c09aaa5a2bb8210c68a12814d86ad5832bb2b934d21ce61a7de567f292a847fd72b41b0fdce17bfdcdefe231922b620622f62b
- SSDEEP
  
  12288:74a+AXd36mP0X7K23K/iI6+zE8Wsij3L6EkgYdTL7rDJvph22tiVPnToCDleWmKJ:L+Ad36m8e2wiAzJhT5jtsPnkCDYWmScY
Score

8^/10

banker collection credential_access defense_evasion discovery evasion execution persistence stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencestealthtrojan

behavioral2

bankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencestealthtrojan

behavioral3

bankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencestealthtrojan