General

  • Target

    com.apk

  • Size

    3.5MB

  • Sample

    240521-f9e8gadd4y

  • MD5

    aa352c5e70e0df6074e373eddb240d7c

  • SHA1

    4100b9636a6506285beece6c0aa3ee8010ac05ff

  • SHA256

    a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a

  • SHA512

    54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e

  • SSDEEP

    98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og

Malware Config

Extracted

Family

wyrmspy

Version

8.1121.0

C2

https://8.219.55.216:443/control/

Targets

    • Target

      com.apk

    • Size

      3.5MB

    • MD5

      aa352c5e70e0df6074e373eddb240d7c

    • SHA1

      4100b9636a6506285beece6c0aa3ee8010ac05ff

    • SHA256

      a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a

    • SHA512

      54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e

    • SSDEEP

      98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og

    • WyrmSpy

      WyrmSpy is an Android spyware used by APT41 group first seen in 2017.

    • Removes its main activity from the application launcher

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the phone number (MSISDN for GSM devices)

    • Reads the contacts stored on the device.

    • Reads the content of the call log.

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Checks if the internet connection is available

    • Reads information about phone network operator.

    • Target

      daemon.apk

    • Size

      5.1MB

    • MD5

      0443d4fc2d9ad56f9a8411ede1198d34

    • SHA1

      38075a13e881690a7d8733710cc557556edf36cb

    • SHA256

      ed61b5068e0af65cb3a53036e04672b1bc409e4c16019711e259023e9a928473

    • SHA512

      188c04c3286c5bb3a7a0c23918d5527465ea26ed85eabdeede3fc54aa711f20b6abb21d359dfce547b3f384c90d58cf7c32c7235b287b73710c39f2816b72866

    • SSDEEP

      98304:em29MwwcRrnSN+2GRfYJWO+fDkL+Ey1qe6SsYO:e37weRfpO0D43Y6SZO

MITRE ATT&CK Matrix

Tasks