Analysis
-
max time kernel
175s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21-05-2024 05:51
Behavioral task
behavioral1
Sample
com.android.core.service.hms.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
daemon.apk
Resource
android-x86-arm-20240514-en
General
-
Target
com.android.core.service.hms.apk
-
Size
3.5MB
-
MD5
aa352c5e70e0df6074e373eddb240d7c
-
SHA1
4100b9636a6506285beece6c0aa3ee8010ac05ff
-
SHA256
a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a
-
SHA512
54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e
-
SSDEEP
98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og
Malware Config
Extracted
wyrmspy
8.1121.0
https://8.219.55.216:443/control/
Signatures
-
WyrmSpy
WyrmSpy is an Android spyware used by APT41 group first seen in 2017.
-
Processes:
com.android.core.service.hmspid process 4212 com.android.core.service.hms -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.android.core.service.hms -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.android.core.service.hms -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process URI accessed for read content://com.android.contacts/contacts com.android.core.service.hms -
Reads the content of the call log. 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process URI accessed for read content://call_log/calls com.android.core.service.hms -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.android.core.service.hms -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.android.core.service.hmsdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.android.core.service.hms -
Reads information about phone network operator. 1 TTPs
Processes
-
com.android.core.service.hms1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Reads the contacts stored on the device.
- Reads the content of the call log.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4212
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ec0699a2a426d8c8c9c76e33b0d1a186
SHA18e0c8f4b7a650dab625431d8a79bccf3f899f1ca
SHA256bdfce87fd3f04e6b49cb8c95cd20ed189997e8bdc383b4fa7655b37730b9db3d
SHA512e3c9bb66b056336401406b33e4debf3de3c7b3b4d1f2328a64f2bf45a0d383de24a9ecacd68bdeb2756da5089d443ad605a8bfeaf7caa026091be65784b0c440
-
Filesize
512B
MD5a5f3df49d1d35c26ce79e7b15e3dd227
SHA1347d0fd73c871aa1ba5c29ae6c99e1d7afee661f
SHA25637d4dbec4efb50680a7fa5eacf2ded031dd7fa09e252324cbfed1ffa7462b2a7
SHA512e9b2e02dee6aa4688388e07ffde432cc3ca3ffa46d81fbcb2e91eafe6ac15e48c24dcd6599c7d46703bc6fa56f816c6fb1267c1e0cb7909644e0788bdb80c690
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD5a48301921b1e3027fa133ffcdf477c39
SHA14b3f4d58465bd9d99bef0c46fadbe6607dd34bef
SHA256fb1a6508a6eadd550519b7e1f24e88d30406973cdfc83a2baa859e7409c9fedd
SHA512be9781141414cc7562560ed23f811c467de97bcb999ef276e85e07af20ec3390257ce831e34d969d87ddad0935fade227f7df26c5579ac0bbff3e28f666fe064