spynote | cd7f319bb93fe00bed3320a1daa9f8abb9e28041c852e9d5e9fd39a8f0697622

General

Target

cd7f319bb93fe00bed3320a1daa9f8abb9e28041c852e9d5e9fd39a8f0697622.bin
Size

4.8MB
Sample

250220-1w181axqz9
MD5

68391aefdbc2eb6e95751e265eed030a
SHA1

0e1e2f5d1865562dc9f45811e02bb0ed74cfaefc
SHA256

cd7f319bb93fe00bed3320a1daa9f8abb9e28041c852e9d5e9fd39a8f0697622
SHA512

01d407c06e1d1e91727ea0b5c9901cd539a5fa25c2e7ea86b3500fc97fd5a3de049a8ade630ad5b9ab56fcb4b192562e75d47c9c2ff5b1db9fd7504386cd2ca5
SSDEEP

98304:AG8w5vYJle6S2kPEyQc0y4nQchzxf7V+c4yD9mMRU4ogp0iO:z8wWJq/Qc0y4LtD4Kwm0B

Score

10^/10

Malware Config

Extracted

Family

spynote

C2

157.245.144.27:5544

Targets

- Target
  
  cd7f319bb93fe00bed3320a1daa9f8abb9e28041c852e9d5e9fd39a8f0697622.bin
- Size
  
  4.8MB
- MD5
  
  68391aefdbc2eb6e95751e265eed030a
- SHA1
  
  0e1e2f5d1865562dc9f45811e02bb0ed74cfaefc
- SHA256
  
  cd7f319bb93fe00bed3320a1daa9f8abb9e28041c852e9d5e9fd39a8f0697622
- SHA512
  
  01d407c06e1d1e91727ea0b5c9901cd539a5fa25c2e7ea86b3500fc97fd5a3de049a8ade630ad5b9ab56fcb4b192562e75d47c9c2ff5b1db9fd7504386cd2ca5
- SSDEEP
  
  98304:AG8w5vYJle6S2kPEyQc0y4nQchzxf7V+c4yD9mMRU4ogp0iO:z8wWJq/Qc0y4LtD4Kwm0B
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  childapp.apk
- Size
  
  3.7MB
- MD5
  
  a30215b6b6ef1404cb458435171da4f4
- SHA1
  
  88539501542764a7ce7c868a8da7103721a84622
- SHA256
  
  e6d22a70aa7ed388dff4fe920330249025244d925eb287613055f8dc2d6657c6
- SHA512
  
  c6a73ca018282d8ae489e7bdd0bb6bd1d7f3c11110af818ca707e0b4f4c45ec5be74d594285be9d9534d872d0a7fcc2852aeeb8e7258a8a65967270dad6f26aa
- SSDEEP
  
  49152:Xcgik5UzdGG/QTObmzOLWYqP0cg7FUqyQrTjtEYxoCKgxSzan4IkLotURth:XHUzBYTEmzOLe0t9yQrTfxoXIRUV
Score

7^/10

banker collection credential_access defense_evasion discovery evasion execution persistence impact
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about active data network
  discovery
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral4 behavioral5 behavioral6