Analysis
-
max time kernel
176s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21-05-2024 05:34
Behavioral task
behavioral1
Sample
com.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
daemon.apk
Resource
android-x86-arm-20240514-en
General
-
Target
com.apk
-
Size
3.5MB
-
MD5
aa352c5e70e0df6074e373eddb240d7c
-
SHA1
4100b9636a6506285beece6c0aa3ee8010ac05ff
-
SHA256
a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a
-
SHA512
54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e
-
SSDEEP
98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og
Malware Config
Extracted
wyrmspy
8.1121.0
https://8.219.55.216:443/control/
Signatures
-
WyrmSpy
WyrmSpy is an Android spyware used by APT41 group first seen in 2017.
-
Processes:
com.android.core.service.hmspid process 4249 com.android.core.service.hms -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.android.core.service.hms -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.android.core.service.hms -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process URI accessed for read content://com.android.contacts/contacts com.android.core.service.hms -
Reads the content of the call log. 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process URI accessed for read content://call_log/calls com.android.core.service.hms -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.android.core.service.hms -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.android.core.service.hms -
Reads information about phone network operator. 1 TTPs
Processes
-
com.android.core.service.hms1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Reads the contacts stored on the device.
- Reads the content of the call log.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4249
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.android.core.service.hms/cache/configFilesize
20KB
MD5ec0699a2a426d8c8c9c76e33b0d1a186
SHA18e0c8f4b7a650dab625431d8a79bccf3f899f1ca
SHA256bdfce87fd3f04e6b49cb8c95cd20ed189997e8bdc383b4fa7655b37730b9db3d
SHA512e3c9bb66b056336401406b33e4debf3de3c7b3b4d1f2328a64f2bf45a0d383de24a9ecacd68bdeb2756da5089d443ad605a8bfeaf7caa026091be65784b0c440
-
/data/data/com.android.core.service.hms/cache/config-journalFilesize
512B
MD539db26453ae1d050bfe6e7cd7961a757
SHA12222063cd49f8ee6e4a7410d050f9cff58a6613e
SHA2569672a35f0b2f0989161610f0eb5c703463c9874c4b6a96644db7d88c90ee912b
SHA512741b6cdd80a81a6b0f894a9df3c8bb2ced7563451d6db3173f4a68d12062f1f941b4a6179c33fcf96804cd03eb4f48fff6bf355d99623abdccd8435db19f7aa1
-
/data/data/com.android.core.service.hms/cache/config-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.android.core.service.hms/cache/config-walFilesize
32KB
MD595dc9b24d1bc778ae3bf38bbf365fcd4
SHA1bf9c34c1d66f4f20e9789c650241fe76bc47f106
SHA256d5e22eaff8ba51b13a51ff0e853592a23b8069e7ebaa77b2fd9699fa80be4abc
SHA512055ee6d4c7315580386bdf6be0875e6ce0f150f07cfb9b37379f1c425e9ae5bd89058b352dacc42eb6bbe3d56d1f2c911fe878bb414e894f11fe6a958759fc92