Analysis

  • max time kernel
    175s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    21-05-2024 05:51

General

  • Target

    com.android.core.service.hms.apk

  • Size

    3.5MB

  • MD5

    aa352c5e70e0df6074e373eddb240d7c

  • SHA1

    4100b9636a6506285beece6c0aa3ee8010ac05ff

  • SHA256

    a2f0430bebf1a55da1d7aab31021a90b49290df5bead76ee49f27ee37bd1e03a

  • SHA512

    54a74fc04c7833a719c020f6749f06d3b2c04a3acc9eea4d5f273c9d6ef59ed9105cb2192edd66a07178612dadfcd347a25ad5fa3bf2df1f5e42aef08bd27d6e

  • SSDEEP

    98304:NxNsEwd3hahGKBS32sVBA3S9yEz0l19oDoZ:5hQahGKBhsVBkq167og

Malware Config

Extracted

Family

wyrmspy

Version

8.1121.0

C2

https://8.219.55.216:443/control/

Signatures

  • WyrmSpy

    WyrmSpy is an Android spyware used by APT41 group first seen in 2017.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Reads the content of the call log. 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.android.core.service.hms
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Reads the contacts stored on the device.
    • Reads the content of the call log.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4212

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.android.core.service.hms/cache/config

    Filesize

    20KB

    MD5

    ec0699a2a426d8c8c9c76e33b0d1a186

    SHA1

    8e0c8f4b7a650dab625431d8a79bccf3f899f1ca

    SHA256

    bdfce87fd3f04e6b49cb8c95cd20ed189997e8bdc383b4fa7655b37730b9db3d

    SHA512

    e3c9bb66b056336401406b33e4debf3de3c7b3b4d1f2328a64f2bf45a0d383de24a9ecacd68bdeb2756da5089d443ad605a8bfeaf7caa026091be65784b0c440

  • /data/data/com.android.core.service.hms/cache/config-journal

    Filesize

    512B

    MD5

    a5f3df49d1d35c26ce79e7b15e3dd227

    SHA1

    347d0fd73c871aa1ba5c29ae6c99e1d7afee661f

    SHA256

    37d4dbec4efb50680a7fa5eacf2ded031dd7fa09e252324cbfed1ffa7462b2a7

    SHA512

    e9b2e02dee6aa4688388e07ffde432cc3ca3ffa46d81fbcb2e91eafe6ac15e48c24dcd6599c7d46703bc6fa56f816c6fb1267c1e0cb7909644e0788bdb80c690

  • /data/data/com.android.core.service.hms/cache/config-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.android.core.service.hms/cache/config-wal

    Filesize

    32KB

    MD5

    a48301921b1e3027fa133ffcdf477c39

    SHA1

    4b3f4d58465bd9d99bef0c46fadbe6607dd34bef

    SHA256

    fb1a6508a6eadd550519b7e1f24e88d30406973cdfc83a2baa859e7409c9fedd

    SHA512

    be9781141414cc7562560ed23f811c467de97bcb999ef276e85e07af20ec3390257ce831e34d969d87ddad0935fade227f7df26c5579ac0bbff3e28f666fe064