spynote | 29a97e6d45ef1c7b72b475db90f2f9f79e9ceac90bdf24322e9ed7b180175751 | Triage

Sharing

General

Target

client.apk
Size

760KB
Sample

250330-msenyaw1ey
MD5

49d4ef134bd0f640742023117e5c2e21
SHA1

5dcd927edaae792444bf01adc27e9cb744edb824
SHA256

29a97e6d45ef1c7b72b475db90f2f9f79e9ceac90bdf24322e9ed7b180175751
SHA512

327204a037726c2e98927b936d90289a3b00d2c72f8f1566e5b19d75281e77b1730e7aeb4b9ab87e39a28b9c3f8ec103d82488c2dafd637efc1a6e8711636592
SSDEEP

12288:ky1Ob1a1a8LreXKnvrDM/5WmpYshXZPbGwidNpgB9:kyGa1a2eXqrDM/5WmD9idNpA

Score

10^/10

spynote android banker defense_evasion discovery evasion impact persistence privilege_escalation stealth trojan

Malware Config

Extracted

Family

spynote

C2

193.161.193.99:1194

Targets

- Target
  
  client.apk
- Size
  
  760KB
- MD5
  
  49d4ef134bd0f640742023117e5c2e21
- SHA1
  
  5dcd927edaae792444bf01adc27e9cb744edb824
- SHA256
  
  29a97e6d45ef1c7b72b475db90f2f9f79e9ceac90bdf24322e9ed7b180175751
- SHA512
  
  327204a037726c2e98927b936d90289a3b00d2c72f8f1566e5b19d75281e77b1730e7aeb4b9ab87e39a28b9c3f8ec103d82488c2dafd637efc1a6e8711636592
- SSDEEP
  
  12288:ky1Ob1a1a8LreXKnvrDM/5WmpYshXZPbGwidNpgB9:kyGa1a2eXqrDM/5WmD9idNpA
Score

8^/10

banker defense_evasion discovery evasion impact persistence privilege_escalation stealth trojan
- Removes its main activity from the application launcher
  stealth trojan evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Tries to add a device administrator.
  privilege_escalation impact
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Device Administrator Permissions

Defense Evasion

Foreground Persistence

Hide Artifacts

Suppress Application Icon

Credential Access

Discovery

Software Discovery

Security Software Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Account Access Removal

Tasks

static1

behavioral1

bankerdefense_evasiondiscoveryevasionimpactpersistenceprivilege_escalationstealthtrojan

behavioral2

bankerdefense_evasiondiscoveryevasionpersistencestealthtrojan

behavioral3

bankerdefense_evasiondiscoveryevasionimpactpersistenceprivilege_escalationstealthtrojan