spynote | 4b093a9477a7b8a9ff694f2a7721fd512443a0dc39d909101ab12171df7b9272 | Triage

Sharing

General

Target

4b093a9477a7b8a9ff694f2a7721fd512443a0dc39d909101ab12171df7b9272.bin
Size

4.4MB
Sample

250220-1wxktawpak
MD5

06455fecc05ed99ce2c86a92b0ff6dff
SHA1

660f54c9c43df9bd3a7b72016d925e5e3340a052
SHA256

4b093a9477a7b8a9ff694f2a7721fd512443a0dc39d909101ab12171df7b9272
SHA512

308b56eff4b29ffacfe61c054e1dd5829788f1e29c5a768839f1f7f2827e0b3f472f9a16b10ddef7f2d2319d02bc343dc3c6379c0f1f91fa9ca582d14a13da51
SSDEEP

98304:PmzBDTFmzjdP0teCjWLnyVxyMFHqdC6PhDehmYUtlI702Xtdx:iozBAzqQnt6PhDbYHo2X7x

Score

10^/10

spynote android banker collection credential_access defense_evasion discovery execution persistence

Malware Config

Targets

- Target
  
  4b093a9477a7b8a9ff694f2a7721fd512443a0dc39d909101ab12171df7b9272.bin
- Size
  
  4.4MB
- MD5
  
  06455fecc05ed99ce2c86a92b0ff6dff
- SHA1
  
  660f54c9c43df9bd3a7b72016d925e5e3340a052
- SHA256
  
  4b093a9477a7b8a9ff694f2a7721fd512443a0dc39d909101ab12171df7b9272
- SHA512
  
  308b56eff4b29ffacfe61c054e1dd5829788f1e29c5a768839f1f7f2827e0b3f472f9a16b10ddef7f2d2319d02bc343dc3c6379c0f1f91fa9ca582d14a13da51
- SSDEEP
  
  98304:PmzBDTFmzjdP0teCjWLnyVxyMFHqdC6PhDehmYUtlI702Xtdx:iozBAzqQnt6PhDbYHo2X7x
Score

7^/10

banker collection credential_access defense_evasion discovery execution persistence
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Input Injection

Credential Access

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistence

behavioral2

bankercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistence

behavioral3

bankercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistence