ÐÂÐÍ°²×¿Ä¾ÂíSpyNoteÉú³ÉÆ÷Ôâй¶

¡¾Òƶ¯Í¨ÐÅÍø¡¿½üÈÕ£¬PaloAltoNetworksÍþвÇ鱨ÍŶÓUnit42Ðû²¼·¢ÏÖÒ»ÀàÐÂÐÍ°²×¿Ä¾ÂíSpyNote£¬¸ÃľÂí¿ÉÖ´ÐÐÔ¶³ÌÈëÇÖ¹¦ÄÜ£¬ÆäÉú³ÉÆ÷½üÈÕÔÚ¶à¸ö¶ñÒâÈí¼þÂÛ̳ÉÏÔâй¶¡£SpyNotedÓëÖªÃûµÄRAT(RemoteAdministrationTools,RAT)³ÌÐòOmniRatºÍDroidJackÏàÀàËÆ£¬Áî¶ñÒâÈí¼þËùÓÐÕßÄܹ»¶ÔAndroidÉ豸ʵʩԶ³Ì¹ÜÀí¿ØÖÆ¡£

ÓëÆäËûRATÒ»Ñù£¬SpyNoteÓÐÈçÏÂÖ÷ÒªÌØÕ÷£¬

ŸÎÞÐèRoot·ÃÎÊȨÏÞ

Ÿ°²×°ÐµÄAPK²¢¸üжñÒâÈí¼þ

Ÿ½«É豸ÉϵÄÎļþ¸´ÖƵ½µçÄÔÉÏ

Ÿä¯ÀÀÉ豸ÉÏÈ«²¿ÐÅÏ¢

Ÿ¼àÌýÉ豸À´µç

Ÿ»ñÈ¡É豸ÉϵÄÁªÏµÈËÁбí

Ÿ½èÖúÉ豸Âó¿Ë·ç¼àÌý»òÕß¼ÖÆÒôƵ

Ÿ¿ØÖÆÉ豸ÉãÏñÍ·

Ÿ»ñÈ¡IMEI´®ºÅ¡¢Wi-FiMACµØÖ·ÒÔ¼°ÊÖ»úÔËÓªÉÌÐÅÏ¢

Ÿ»ñÈ¡É豸×îºóÒ»¸öGPS¶¨Î»ÐÅÏ¢

Ÿ²¦´òµç»°

ͼһ£¬SpyNote¿ØÖÆÃæ°å

SpyNote°²×°°üÒªÇóÊܺ¦Õß½ÓÊܲ¢×¼ÐíSpyNoteÖ´ÐÐÖî¶à²Ù×÷£¬°üÀ¨£º±à¼­Îı¾ÐÅÏ¢¡¢¶Áȡͨ»°¼Ç¼ºÍÁªÏµ·½Ê½¡¢Ð޸Ļòɾ³ýSD¿¨ÄÚÈÝ£¬ÒÑÓÐÖ¤¾ÝÏÔʾSpyNote½«ÄÚÈÝÉÏ´«ÖÁ¶ñÒâÈí¼þ·ÖÎöÍøÕ¾VirusTotalºÍKoodous£¬ÈçÏ£¬

https://www.virustotal.com/en/file/f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776

d94505212cbd/analysis/

Ÿhttps://analyst.koodous.com/apks/f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776d94

505212cbd

·ÖÎö

°²×°³É¹¦ºó£¬SpyNote±ã½«¸ÃÓ¦ÓõÄͼ±ê´ÓÊܺ¦ÕßÉ豸ÉÏĨȥ£¬Õâ³ä·Ö±íÃ÷SpyNoteµÄÉú³ÉÆ÷Ó¦ÓÃÊÇÓÃ.NET¿ª·¢µÄ¡£

¸ÃÓ¦ÓÃδ×öÑÚÊδ¦Àí£¬Ò²²»ÊÜÈκÎÑÚÊι¤¾ß»ò±£»¤¹¤¾ßµÄ±£»¤¡£

ͼ¶þ£¬·´±àÒëSpyNoteÉú³ÉÆ÷

¼øÓÚʹÓõĶ˿ڱàºÅÓëÊÓƵÖУ¨ÊÓƵµØַΪhttps://www.youtube.com/watch?v=E9OxlTBtdkA£©ËùÑÝʾµÄºÁÎÞ¶þÖ£¬ÒÔ¼°ÉÏ´«³ÌÐò½ö½öÐÞ¸ÄÁËAPKµÄͼ±ê¶øÒÑ£¬ÉÏ´«³ÌÐòÔÚʹÓÃSpyNoteʱ¿É°´ÕÕ¸ÃÊÓƵÖÐËùÃèÊöµÄ·½·¨È¥²Ù×÷¡£

´ËÍ⣬¾­¹ýÅäÖ㬸ÃRAT¿Éͨ¹ýTCP¶Ë¿Ú2222½øÐÐC&CÔ¶³ÌÃüÁîÓë¿ØÖÆ£¨IPµØַΪ141.255.147.193£©µÄͨÐÅ£¬ÈçÏÂͼ£¬

ͼÈý£¬½èÖúCerberoprofilerʵÏÖDalvik×Ö½ÚÂëÊÓͼ

ͼËÄ£¬SpyNote¿ªÆôÌ×½Ó×ÖÁ´½Ó

»ùÓÚÎÒÃÇÒÑÕÆÎÕµÄÐÅÏ¢£¬ÏÖÔÚÎÒÃÇÒѾ­Á˽⵽¸Ã¶ñÒâÈí¼þʹÓÃÓ²±àÂëSERVER_IPºÍSERVER_PORTvalues£¨ÈçͼËÄËùʾ£©À´ÊµÏÖÌ×½Ó×ÖÁ´½Ó¡£ÎÒÃÇÏÖÔÚ¿ÉÒÔ½èÖúAndroguard(https://github.com/androguard/androguard)À´Éè¼ÆÒ»¿îC2ÐÅÏ¢ÌáÈ¡³ÌÐò£¬ÈçÏÂͼËùʾ£¬spynote.C2.py½Å±¾½«ÕâЩÊýÖµ´ÓAPKÎļþÖнâÎö³öÀ´£¬²¢½«ÆäÓ¦ÓÃÓÚÃüÁîÐÐÖУ¬ÈçͼÎåËùʾ¡£

ͼÎ壬ÌáÈ¡³öµÄÃüÁîÓë¿ØÖÆ·þÎñÆ÷ÐÅÏ¢

#!/usr/bin/python

importsys

fromsysimportargv

fromandroguard.core.bytecodesimportapk

fromandroguard.core.bytecodesimportdvm

#---------------------------------------------------

#_log:Printsoutlogsfordebugpurposes

#---------------------------------------------------

def_log(s):

print(s)

if__name__=="__main__":

if(len(sys.argv)<2):

_log("[+]Usage:%s[Path_to_apk]"%sys.argv[0])

sys.exit(0)

else:

a=apk.APK(argv[1])

d=dvm.DalvikVMFormat(a.get_dex())

forclsind.get_classes():

#if¡¯Ldell/scream/application/MainActivity;¡¯.lower()incls.get_name().lower():

if¡¯dell/scream/application/MainActivity;¡¯.lower()incls.get_name().lower():

c2=""

port=""

string=None

formethodincls.get_methods():

ifmethod.name==¡¯¡¯:

forinstinmethod.get_instructions():

ifinst.get_name()==¡¯const-string¡¯:

string=inst.get_output().split(¡¯,¡¯)[-1].strip("¡¯")

ifinst.get_name()==¡¯iput-object¡¯:

if"SERVER_IP"ininst.get_output():

c2=string

if"PORT"ininst.get_output():

port=string

ifc2andport:

break

server=""

ifport:

server="{0}:{1}".format(c2,str(port))

else:

server=c2

_log(¡¯C&C:[%s]¡¯%server)

½áÂÛ

°²×°µÚÈý·½Ó¦Óý«»áΣÏÕÖØÖØ£¬ÕâЩ×ÊԴȱÉÙÈçGooglePlayStoreÕâÑù¹Ù·½À´Ô´µÄ¼à¹Ü£¬¶øÇÒ£¬¼´Ê¹ÓÐÏ꾡µÄ²½ÖèºÍËã·¨À´È¥³ýÄÇЩ¶ñÒâÓ¦ÓóÌÐò£¬ÕâЩӦÓÃÒ²²¢·ÇÎÞи¿É»÷¡£ÅÔ¼ÓÔØÀ´×ÔÓÚÓÐÎÊÌâÀ´Ô´µÄÓ¦Ó㬻á°ÑʹÓÃÕßÒÔ¼°ËûÃÇʹÓõÄÒƶ¯É豸ÆضÓÚ¸÷Àà¶ñÒâÈí¼þºÍÊý¾Ý¶ªÊ§Î£ÏÕÖ®ÖС£

µ½ÏÖÔÚΪֹ£¬ÎÒÃÇ»¹Ã»Óп´µ½ÓÐÖ÷¶¯¹¥»÷ʹÓÃÁËSpyNote£¬µ«ÎÒÃǵ£ÐÄÍøÂç×ï·¸»áÒòΪSpyNoteµÄÇáËÉÒ׵öø¿ªÊ¼×÷¶ñ¡£ÏÖÔÚ£¬PaloAltoNetworksAutoFocusµÄÓû§¿ÉʹÓÃSpyNotetagÀ´¶Ô¸ÃľÂí½øÐÐÕç±ð¡£

ָʾÆ÷

SHA256ofSpyNoteSamples

85c00d1ab1905ab3140d711504da41e67f168dec837aafd0b6327048dd33215e

ed894f9c6f81e2470d76156b36c69f50ef40e27fd4e86d951613328cdbf52165

4fb2d8be58525d45684f9ffd429e2f6fe242bf5dbc2ed33625e3616d8773ed0d

98e2b14896e85362c31b1e05f73a3afddde09bd31123ca10ff1cc31590ac0c07

51e0d505fb3fba34daf4467ca496bca44e3611126d5e2709441756ba632487f0

4b60fff88949181e2d511759183cdf91578ece4a39cd4d8ec5da4015bb40cbed

c064679c42e31a4f340e6a1e9a3b6f653e2337aa9581f385722011114d00aa1e

3323ff4bcdb3de715251502dfb702547b6e89f7973104b3da648163b73b72eef

f0646b94f1820f36de74e7134d0bb9719a87afa9f30f3a68a776d94505212cbd

2ec734fd0f7320b32568ab9c229146a3dab08f951ca5c3114f6af6c77f621929

4e80d61994ee64dadc35af6e420230575553aba7f650bc38e04f3702b21d67c4

357ca2f1f3ea144bdd1d2122ec90ed187e8d63eb8a206794e249d5feb7411662

ac482e08ef32e6cb7e75c3d16a8ea31bcc9bf9400bd9f96b4ec6ed7d89053396

89a5ebf0317d9a3df545cfd3fbcb4c845ea3528091322fd6b2f7d84d7a7d8ae0


΢ÐÅɨÃè·ÖÏí±¾Îĵ½ÅóÓÑȦ
ɨÂë¹Ø×¢5GͨÐŹٷ½¹«ÖÚºÅ,Ãâ·ÑÁìÈ¡ÒÔÏÂ5G¾«Æ·×ÊÁÏ
  • 1¡¢»Ø¸´¡°YD5GAI¡±Ãâ·ÑÁìÈ¡¡¶ÖйúÒƶ¯£º5GÍøÂçAIÓ¦ÓõäÐͳ¡¾°¼¼Êõ½â¾ö·½°¸°×ƤÊé¡·
  • 2¡¢»Ø¸´¡°5G6G¡±Ãâ·ÑÁìÈ¡¡¶5G_6GºÁÃײ¨²âÊÔ¼¼Êõ°×ƤÊé-2022_03-21¡·
  • 3¡¢»Ø¸´¡°YD6G¡±Ãâ·ÑÁìÈ¡¡¶ÖйúÒƶ¯£º6GÖÁ¼òÎÞÏß½ÓÈëÍø°×ƤÊé¡·
  • 4¡¢»Ø¸´¡°LTBPS¡±Ãâ·ÑÁìÈ¡¡¶¡¶ÖйúÁªÍ¨5GÖն˰×ƤÊé¡·¡·
  • 5¡¢»Ø¸´¡°ZGDX¡±Ãâ·ÑÁìÈ¡¡¶ÖйúµçÐÅ5GNTN¼¼Êõ°×ƤÊé¡·
  • 6¡¢»Ø¸´¡°TXSB¡±Ãâ·ÑÁìÈ¡¡¶Í¨ÐÅÉ豸°²×°¹¤³ÌÊ©¹¤¹¤ÒÕͼ½â¡·
  • 7¡¢»Ø¸´¡°YDSL¡±Ãâ·ÑÁìÈ¡¡¶ÖйúÒƶ¯ËãÁ¦²¢Íø°×ƤÊé¡·
  • 8¡¢»Ø¸´¡°5GX3¡±Ãâ·ÑÁìÈ¡¡¶R1623501-g605GµÄϵͳ¼Ü¹¹1¡·
  • ±¾ÖÜÈȵ㱾ÔÂÈȵã

     

      ×îÈÈͨÐÅÕÐƸ

    Òµ½ç×îÐÂ×ÊѶ


      ×îÐÂÕÐƸÐÅÏ¢

    ×îм¼ÊõÎÄÕÂ

    ×îÐÂÂÛ̳Ìù×Ó