wyrmspy

General

Target

com.apk
Size

3.5MB
Sample

240521-f9e8gadd4y
MD5

aa352c5e70e0df6074e373eddb240d7c
SHA1

4100b9636a6506285beece6c0aa3ee8010ac05ff
SHA256

a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a
SHA512

54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e
SSDEEP

98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og

Score

10^/10

Malware Config

Extracted

Family

wyrmspy

Version

8.1121.0

C2

https://8.219.55.216:443/control/

Targets

- Target
  
  com.apk
- Size
  
  3.5MB
- MD5
  
  aa352c5e70e0df6074e373eddb240d7c
- SHA1
  
  4100b9636a6506285beece6c0aa3ee8010ac05ff
- SHA256
  
  a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a
- SHA512
  
  54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e
- SSDEEP
  
  98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og
Score

10^/10

wyrmspy collection discovery evasion infostealer persistence rat stealth trojan
- WyrmSpy
  WyrmSpy is an Android spyware used by APT41 group first seen in 2017.
  trojan infostealer rat wyrmspy
- Removes its main activity from the application launcher
  stealth trojan evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the contacts stored on the device.
  collection
- Reads the content of the call log.
  collection
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Checks if the internet connection is available
  discovery
- Reads information about phone network operator.
  discovery
behavioral1
- Target
  
  daemon.apk
- Size
  
  5.1MB
- MD5
  
  0443d4fc2d9ad56f9a8411ede1198d34
- SHA1
  
  38075a13e881690a7d8733710cc557556edf36cb
- SHA256
  
  ed61b5068e0af65cb3a53036e04672b1bc409e4c16019711e259023e9a928473
- SHA512
  
  188c04c3286c5bb3a7a0c23918d5527465ea26ed85eabdeede3fc54aa711f20b6abb21d359dfce547b3f384c90d58cf7c32c7235b287b73710c39f2816b72866
- SSDEEP
  
  98304:em29MwwcRrnSN+2GRfYJWO+fDkL+Ey1qe6SsYO:e37weRfpO0D43Y6SZO
Score

8^/10

collection credential_access evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Reads the content of the call log.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Makes use of the framework's Accessibility service

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2