Overview

overview

10

Static

static

10

com.apk

android-9-x86

10

daemon.apk

android-9-x86

8

Analysis

  • max time kernel
    176s
  • max time network
    185s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    21-05-2024 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    com.apk

  • Size

    3.5MB

  • MD5

    aa352c5e70e0df6074e373eddb240d7c

  • SHA1

    4100b9636a6506285beece6c0aa3ee8010ac05ff

  • SHA256

    a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a

  • SHA512

    54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e

  • SSDEEP

    98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og

Score
10/10
wyrmspycollectiondiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

wyrmspy

Version

8.1121.0

C2

https://8.219.55.216:443/control/

Signatures

  • WyrmSpy

    WyrmSpy is an Android spyware used by APT41 group first seen in 2017.

    trojaninfostealerratwyrmspy
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the call log. 1 TTPs 1 IoCs
    collection
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.android.core.service.hms
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Reads the contacts stored on the device.
    • Reads the content of the call log.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4249

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.android.core.service.hms/cache/config
    Filesize

    20KB

    MD5

    ec0699a2a426d8c8c9c76e33b0d1a186

    SHA1

    8e0c8f4b7a650dab625431d8a79bccf3f899f1ca

    SHA256

    bdfce87fd3f04e6b49cb8c95cd20ed189997e8bdc383b4fa7655b37730b9db3d

    SHA512

    e3c9bb66b056336401406b33e4debf3de3c7b3b4d1f2328a64f2bf45a0d383de24a9ecacd68bdeb2756da5089d443ad605a8bfeaf7caa026091be65784b0c440

    Download Submit
  • /data/data/com.android.core.service.hms/cache/config-journal
    Filesize

    512B

    MD5

    39db26453ae1d050bfe6e7cd7961a757

    SHA1

    2222063cd49f8ee6e4a7410d050f9cff58a6613e

    SHA256

    9672a35f0b2f0989161610f0eb5c703463c9874c4b6a96644db7d88c90ee912b

    SHA512

    741b6cdd80a81a6b0f894a9df3c8bb2ced7563451d6db3173f4a68d12062f1f941b4a6179c33fcf96804cd03eb4f48fff6bf355d99623abdccd8435db19f7aa1

    Download Submit
  • /data/data/com.android.core.service.hms/cache/config-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit
  • /data/data/com.android.core.service.hms/cache/config-wal
    Filesize

    32KB

    MD5

    95dc9b24d1bc778ae3bf38bbf365fcd4

    SHA1

    bf9c34c1d66f4f20e9789c650241fe76bc47f106

    SHA256

    d5e22eaff8ba51b13a51ff0e853592a23b8069e7ebaa77b2fd9699fa80be4abc

    SHA512

    055ee6d4c7315580386bdf6be0875e6ce0f150f07cfb9b37379f1c425e9ae5bd89058b352dacc42eb6bbe3d56d1f2c911fe878bb414e894f11fe6a958759fc92

    Download Submit